CVE-2020-27604

MEDIUM Year: 2020
CVSS v3 Score
6.5
Medium
CVSS v2 Score
4.0
Medium
Weakness Type
CWE-116
View all →

Vulnerability Description

BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.

Related Vulnerabilities

CVE-2009-4267

MEDIUM
CVSS:6.5(Medium)

The console in Apache jUDDI 3.0.0 does not properly escape line feeds, which allows remote authenticated users to spoof log entries via the numRows parameter.

CWE-1162009

CVE-2019-0857

MEDIUM
CVSS:6.5(Medium)

A spoofing vulnerability that could allow a security feature bypass exists in when Azure DevOps Server does not properly sanitize user provided input, aka 'Azure DevOps Server Spoofing Vulnerability'.

CWE-1162019

CVE-2019-0956

MEDIUM
CVSS:6.5(Medium)

An information disclosure vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft SharePoint S...

CWE-1162019

CVE-2019-0971

MEDIUM
CVSS:6.5(Medium)

An information disclosure vulnerability exists when Azure DevOps Server and Microsoft Team Foundation Server do not properly sanitize a specially crafted authentication request to an affected server, ...

CWE-1162019

CVE-2021-28662

MEDIUM
CVSS:6.5(Medium)

An issue was discovered in Squid 4.x before 4.15 and 5.x before 5.0.6. If a remote server sends a certain response header over HTTP or HTTPS, there is a denial of service. This header can plausibly oc...

CWE-1162021

CVE-2021-30640

MEDIUM
CVSS:6.5(Medium)

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This ...

CWE-1162021