Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for greenlight by bigbluebutton

    CVE-2022-36029 (GCVE-0-2022-36029)

    Vulnerability from nvd – Published: 2024-04-25 20:42 – Updated: 2024-08-29 20:11
    VLAI
    Title
    BigBlueButton Greenlight Open Redirect vulnerability
    Summary
    Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    bigbluebutton greenlight Affected: 0 , < 2.13.0 (semver)
    Create a notification for this product.
    bigbluebutton greenlight Affected: 0 , < 2.13.0 (semver)
        cpe:2.3:a:bigbluebutton:greenlight:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T09:52:00.349Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.com/bounties/ba5834bd-1f04-4936-8e93-2442d45403bahttps://"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:bigbluebutton:greenlight:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "greenlight",
                "vendor": "bigbluebutton",
                "versions": [
                  {
                    "lessThan": "2.13.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36029",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-27T20:17:21.028398Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-29T20:11:18.365Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "greenlight",
              "product": "greenlight",
              "repo": "https://github.com/bigbluebutton/greenlight",
              "vendor": "bigbluebutton",
              "versions": [
                {
                  "lessThan": "2.13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.\u003cbr\u003e"
                }
              ],
              "value": "Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-25T20:42:15.171Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://huntr.com/bounties/ba5834bd-1f04-4936-8e93-2442d45403bahttps://"
            },
            {
              "url": "https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "BigBlueButton Greenlight Open Redirect vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-36029",
        "datePublished": "2024-04-25T20:42:15.171Z",
        "dateReserved": "2022-07-15T23:52:24.306Z",
        "dateUpdated": "2024-08-29T20:11:18.365Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36028 (GCVE-0-2022-36028)

    Vulnerability from nvd – Published: 2024-04-25 20:36 – Updated: 2024-08-03 09:51
    VLAI
    Title
    BigBlueButton Greenlight Open Redirect vulnerability
    Summary
    Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    bigbluebutton greenlight Affected: 0 , < 2.13.0 (semver)
    Create a notification for this product.
    bigbluebutton greenlight Affected: -
        cpe:2.3:a:bigbluebutton:greenlight:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:bigbluebutton:greenlight:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "greenlight",
                "vendor": "bigbluebutton",
                "versions": [
                  {
                    "status": "affected",
                    "version": "-"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36028",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-29T12:14:11.870444Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:16:12.992Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T09:51:59.902Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.com/bounties/ba5834bd-1f04-4936-8e93-2442d45403bahttps://"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "greenlight",
              "product": "greenlight",
              "repo": "https://github.com/bigbluebutton/greenlight",
              "vendor": "bigbluebutton",
              "versions": [
                {
                  "lessThan": "2.13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.\u003cbr\u003e"
                }
              ],
              "value": "Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-25T20:36:37.543Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://huntr.com/bounties/ba5834bd-1f04-4936-8e93-2442d45403bahttps://"
            },
            {
              "url": "https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "BigBlueButton Greenlight Open Redirect vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-36028",
        "datePublished": "2024-04-25T20:36:37.543Z",
        "dateReserved": "2022-07-15T23:52:24.305Z",
        "dateUpdated": "2024-08-03T09:51:59.902Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-31039 (GCVE-0-2022-31039)

    Vulnerability from nvd – Published: 2022-06-27 19:25 – Updated: 2025-04-23 18:07
    VLAI
    Title
    Improper privilege management - Anyone can view room settings in GreenLight
    Summary
    Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room's settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room's settings. This issue has been patched in release version 2.12.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    bigbluebutton greenlight Affected: < 2.12.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T07:03:40.228Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/security/advisories/GHSA-phh8-3v6v-7498"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/pull/3508"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-31039",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T14:04:40.869036Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T18:07:57.100Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "greenlight",
              "vendor": "bigbluebutton",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room\u0027s settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room\u0027s settings. This issue has been patched in release version 2.12.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-27T19:25:12.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/bigbluebutton/greenlight/security/advisories/GHSA-phh8-3v6v-7498"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bigbluebutton/greenlight/pull/3508"
            }
          ],
          "source": {
            "advisory": "GHSA-phh8-3v6v-7498",
            "discovery": "UNKNOWN"
          },
          "title": "Improper privilege management - Anyone can view room settings in GreenLight",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2022-31039",
              "STATE": "PUBLIC",
              "TITLE": "Improper privilege management - Anyone can view room settings in GreenLight"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "greenlight",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 2.12.6"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "bigbluebutton"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room\u0027s settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room\u0027s settings. This issue has been patched in release version 2.12.6."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269: Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/bigbluebutton/greenlight/security/advisories/GHSA-phh8-3v6v-7498",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/bigbluebutton/greenlight/security/advisories/GHSA-phh8-3v6v-7498"
                },
                {
                  "name": "https://github.com/bigbluebutton/greenlight/pull/3508",
                  "refsource": "MISC",
                  "url": "https://github.com/bigbluebutton/greenlight/pull/3508"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-phh8-3v6v-7498",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-31039",
        "datePublished": "2022-06-27T19:25:12.000Z",
        "dateReserved": "2022-05-18T00:00:00.000Z",
        "dateUpdated": "2025-04-23T18:07:57.100Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-26497 (GCVE-0-2022-26497)

    Vulnerability from nvd – Published: 2022-06-02 00:00 – Updated: 2024-08-03 05:03
    VLAI
    Summary
    BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:03:32.975Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the \"Share room access\" dialog if the victim has shared access to the particular room with the attacker previously."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-04T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352"
            },
            {
              "url": "https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/"
            },
            {
              "url": "http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-26497",
        "datePublished": "2022-06-02T00:00:00.000Z",
        "dateReserved": "2022-03-06T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:03:32.975Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-27642 (GCVE-0-2020-27642)

    Vulnerability from nvd – Published: 2020-10-22 12:56 – Updated: 2024-08-04 16:18
    VLAI
    Summary
    A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:18:45.476Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/pull/2214"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A cross-site scripting (XSS) vulnerability exists in the \u0027merge account\u0027 functionality in admins.js in BigBlueButton Greenlight 2.7.6."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-10-22T12:56:56.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bigbluebutton/greenlight/pull/2214"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-27642",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A cross-site scripting (XSS) vulnerability exists in the \u0027merge account\u0027 functionality in admins.js in BigBlueButton Greenlight 2.7.6."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/bigbluebutton/greenlight/pull/2214",
                  "refsource": "MISC",
                  "url": "https://github.com/bigbluebutton/greenlight/pull/2214"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-27642",
        "datePublished": "2020-10-22T12:56:56.000Z",
        "dateReserved": "2020-10-22T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:18:45.476Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-26163 (GCVE-0-2020-26163)

    Vulnerability from nvd – Published: 2020-09-30 15:28 – Updated: 2024-08-04 15:49
    VLAI
    Summary
    BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:49:07.140Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.sakshamanand.com/host-header-injection-bigbluebutton/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/releases/tag/release-2.5.6"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/pull/1543"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-09-30T15:28:54.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.sakshamanand.com/host-header-injection-bigbluebutton/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bigbluebutton/greenlight/releases/tag/release-2.5.6"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bigbluebutton/greenlight/pull/1543"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-26163",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.sakshamanand.com/host-header-injection-bigbluebutton/",
                  "refsource": "MISC",
                  "url": "https://www.sakshamanand.com/host-header-injection-bigbluebutton/"
                },
                {
                  "name": "https://github.com/bigbluebutton/greenlight/releases/tag/release-2.5.6",
                  "refsource": "MISC",
                  "url": "https://github.com/bigbluebutton/greenlight/releases/tag/release-2.5.6"
                },
                {
                  "name": "https://github.com/bigbluebutton/greenlight/pull/1543",
                  "refsource": "MISC",
                  "url": "https://github.com/bigbluebutton/greenlight/pull/1543"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-26163",
        "datePublished": "2020-09-30T15:28:54.000Z",
        "dateReserved": "2020-09-30T00:00:00.000Z",
        "dateUpdated": "2024-08-04T15:49:07.140Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36029 (GCVE-0-2022-36029)

    Vulnerability from cvelistv5 – Published: 2024-04-25 20:42 – Updated: 2024-08-29 20:11
    VLAI
    Title
    BigBlueButton Greenlight Open Redirect vulnerability
    Summary
    Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    bigbluebutton greenlight Affected: 0 , < 2.13.0 (semver)
    Create a notification for this product.
    bigbluebutton greenlight Affected: 0 , < 2.13.0 (semver)
        cpe:2.3:a:bigbluebutton:greenlight:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T09:52:00.349Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.com/bounties/ba5834bd-1f04-4936-8e93-2442d45403bahttps://"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:bigbluebutton:greenlight:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "greenlight",
                "vendor": "bigbluebutton",
                "versions": [
                  {
                    "lessThan": "2.13.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36029",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-27T20:17:21.028398Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-29T20:11:18.365Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "greenlight",
              "product": "greenlight",
              "repo": "https://github.com/bigbluebutton/greenlight",
              "vendor": "bigbluebutton",
              "versions": [
                {
                  "lessThan": "2.13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.\u003cbr\u003e"
                }
              ],
              "value": "Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-25T20:42:15.171Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://huntr.com/bounties/ba5834bd-1f04-4936-8e93-2442d45403bahttps://"
            },
            {
              "url": "https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "BigBlueButton Greenlight Open Redirect vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-36029",
        "datePublished": "2024-04-25T20:42:15.171Z",
        "dateReserved": "2022-07-15T23:52:24.306Z",
        "dateUpdated": "2024-08-29T20:11:18.365Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-36028 (GCVE-0-2022-36028)

    Vulnerability from cvelistv5 – Published: 2024-04-25 20:36 – Updated: 2024-08-03 09:51
    VLAI
    Title
    BigBlueButton Greenlight Open Redirect vulnerability
    Summary
    Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
    Assigner
    Impacted products
    Vendor Product Version
    bigbluebutton greenlight Affected: 0 , < 2.13.0 (semver)
    Create a notification for this product.
    bigbluebutton greenlight Affected: -
        cpe:2.3:a:bigbluebutton:greenlight:-:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:bigbluebutton:greenlight:-:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "greenlight",
                "vendor": "bigbluebutton",
                "versions": [
                  {
                    "status": "affected",
                    "version": "-"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-36028",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-04-29T12:14:11.870444Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-04T17:16:12.992Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T09:51:59.902Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://huntr.com/bounties/ba5834bd-1f04-4936-8e93-2442d45403bahttps://"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageName": "greenlight",
              "product": "greenlight",
              "repo": "https://github.com/bigbluebutton/greenlight",
              "vendor": "bigbluebutton",
              "versions": [
                {
                  "lessThan": "2.13.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.\u003cbr\u003e"
                }
              ],
              "value": "Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.\n"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-601",
                  "description": "CWE-601 URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-04-25T20:36:37.543Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "url": "https://huntr.com/bounties/ba5834bd-1f04-4936-8e93-2442d45403bahttps://"
            },
            {
              "url": "https://github.com/bigbluebutton/greenlight/commit/20fe1ee71b5703fcc4ed698a959ad224fed19623"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "BigBlueButton Greenlight Open Redirect vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-36028",
        "datePublished": "2024-04-25T20:36:37.543Z",
        "dateReserved": "2022-07-15T23:52:24.305Z",
        "dateUpdated": "2024-08-03T09:51:59.902Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-31039 (GCVE-0-2022-31039)

    Vulnerability from cvelistv5 – Published: 2022-06-27 19:25 – Updated: 2025-04-23 18:07
    VLAI
    Title
    Improper privilege management - Anyone can view room settings in GreenLight
    Summary
    Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room's settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room's settings. This issue has been patched in release version 2.12.6.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    bigbluebutton greenlight Affected: < 2.12.6
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T07:03:40.228Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/security/advisories/GHSA-phh8-3v6v-7498"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/pull/3508"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-31039",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T14:04:40.869036Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T18:07:57.100Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "greenlight",
              "vendor": "bigbluebutton",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.12.6"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room\u0027s settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room\u0027s settings. This issue has been patched in release version 2.12.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269: Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-27T19:25:12.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/bigbluebutton/greenlight/security/advisories/GHSA-phh8-3v6v-7498"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bigbluebutton/greenlight/pull/3508"
            }
          ],
          "source": {
            "advisory": "GHSA-phh8-3v6v-7498",
            "discovery": "UNKNOWN"
          },
          "title": "Improper privilege management - Anyone can view room settings in GreenLight",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2022-31039",
              "STATE": "PUBLIC",
              "TITLE": "Improper privilege management - Anyone can view room settings in GreenLight"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "greenlight",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 2.12.6"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "bigbluebutton"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room\u0027s settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room\u0027s settings. This issue has been patched in release version 2.12.6."
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269: Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/bigbluebutton/greenlight/security/advisories/GHSA-phh8-3v6v-7498",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/bigbluebutton/greenlight/security/advisories/GHSA-phh8-3v6v-7498"
                },
                {
                  "name": "https://github.com/bigbluebutton/greenlight/pull/3508",
                  "refsource": "MISC",
                  "url": "https://github.com/bigbluebutton/greenlight/pull/3508"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-phh8-3v6v-7498",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-31039",
        "datePublished": "2022-06-27T19:25:12.000Z",
        "dateReserved": "2022-05-18T00:00:00.000Z",
        "dateUpdated": "2025-04-23T18:07:57.100Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-26497 (GCVE-0-2022-26497)

    Vulnerability from cvelistv5 – Published: 2022-06-02 00:00 – Updated: 2024-08-03 05:03
    VLAI
    Summary
    BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:03:32.975Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the \"Share room access\" dialog if the victim has shared access to the particular room with the attacker previously."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-05-04T00:00:00.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "url": "https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352"
            },
            {
              "url": "https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/"
            },
            {
              "url": "http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-26497",
        "datePublished": "2022-06-02T00:00:00.000Z",
        "dateReserved": "2022-03-06T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:03:32.975Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-27642 (GCVE-0-2020-27642)

    Vulnerability from cvelistv5 – Published: 2020-10-22 12:56 – Updated: 2024-08-04 16:18
    VLAI
    Summary
    A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T16:18:45.476Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/pull/2214"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A cross-site scripting (XSS) vulnerability exists in the \u0027merge account\u0027 functionality in admins.js in BigBlueButton Greenlight 2.7.6."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-10-22T12:56:56.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bigbluebutton/greenlight/pull/2214"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-27642",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A cross-site scripting (XSS) vulnerability exists in the \u0027merge account\u0027 functionality in admins.js in BigBlueButton Greenlight 2.7.6."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/bigbluebutton/greenlight/pull/2214",
                  "refsource": "MISC",
                  "url": "https://github.com/bigbluebutton/greenlight/pull/2214"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-27642",
        "datePublished": "2020-10-22T12:56:56.000Z",
        "dateReserved": "2020-10-22T00:00:00.000Z",
        "dateUpdated": "2024-08-04T16:18:45.476Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2020-26163 (GCVE-0-2020-26163)

    Vulnerability from cvelistv5 – Published: 2020-09-30 15:28 – Updated: 2024-08-04 15:49
    VLAI
    Summary
    BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-04T15:49:07.140Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.sakshamanand.com/host-header-injection-bigbluebutton/"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/releases/tag/release-2.5.6"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/bigbluebutton/greenlight/pull/1543"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-09-30T15:28:54.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.sakshamanand.com/host-header-injection-bigbluebutton/"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bigbluebutton/greenlight/releases/tag/release-2.5.6"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/bigbluebutton/greenlight/pull/1543"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2020-26163",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.sakshamanand.com/host-header-injection-bigbluebutton/",
                  "refsource": "MISC",
                  "url": "https://www.sakshamanand.com/host-header-injection-bigbluebutton/"
                },
                {
                  "name": "https://github.com/bigbluebutton/greenlight/releases/tag/release-2.5.6",
                  "refsource": "MISC",
                  "url": "https://github.com/bigbluebutton/greenlight/releases/tag/release-2.5.6"
                },
                {
                  "name": "https://github.com/bigbluebutton/greenlight/pull/1543",
                  "refsource": "MISC",
                  "url": "https://github.com/bigbluebutton/greenlight/pull/1543"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2020-26163",
        "datePublished": "2020-09-30T15:28:54.000Z",
        "dateReserved": "2020-09-30T00:00:00.000Z",
        "dateUpdated": "2024-08-04T15:49:07.140Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }