First published: Wed Oct 21 2020(Updated: )
In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Bigbluebutton Bigbluebutton | <2.2.7 |
https://github.com/bigbluebutton/bigbluebutton/commit/7dcdfb191373684bafa7b11cdd0128c9869040a1
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-27601.
The severity of CVE-2020-27601 is low with a severity value of 3.5.
BigBlueButton versions up to but excluding 2.2.7 are affected by CVE-2020-27601.
CVE-2020-27601 allows already opened chats to bypass the disablePrivateChat setting in BigBlueButton before 2.2.7.
To fix CVE-2020-27601, upgrade to BigBlueButton version 2.2.7 or later.