CVE-2024-38518

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-38518
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-38518.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-38518
Related
  • GHSA-4m48-49h7-f3c4
Published
2024-06-28T21:15:03Z
Modified
2025-01-08T16:13:04.686757Z
Summary
[none]
Details

BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.

References

Affected packages

Git / github.com/bigbluebutton/bigbluebutton

Affected ranges

Type
GIT
Repo
https://github.com/bigbluebutton/bigbluebutton
Events

Affected versions

0.*

0.81-dev-deskshare-fixes-compatible-with-0.8

2.*

2.2-beta-10
2.2-beta-11
2.2-beta-12
2.2-beta-14
2.2-beta-15
2.2-beta-16
2.2-beta-17
2.2-beta-18
2.2-beta-19
2.2-beta-2
2.2-beta-20
2.2-beta-21
2.2-beta-22
2.2-beta-23
2.2-beta-3
2.2-beta-4
2.2-beta-5
2.2-beta-6
2.2-beta-7
2.2-beta-8
2.2-beta-9
2.2-rc-1
2.2-rc-2
2.2-rc-3
2.2-rc-4
2.2-rc-5
2.2-rc-6
2.4-rc-2
2.5.0-rc.3

Other

dcs-2-a
pre-recording-merge

v0.*

v0.7
v0.71
v0.71a
v0.8
v0.81
v0.81b
v0.81rc
v0.81rc2
v0.81rc3
v0.81rc4
v0.81rc5
v0.8b4
v0.8b4.0
v0.8rc2
v0.9.0-beta
v0.9.1
v0.9.2

v1.*

v1.0.0
v1.1.0

v2.*

v2.0-rc2
v2.0-rc3
v2.0-rc4
v2.0-rc5
v2.0-rc6
v2.0-rc7
v2.0.x-html5-beta1
v2.2.0
v2.2.1
v2.2.10
v2.2.11-good
v2.2.12
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.18
v2.2.19
v2.2.2
v2.2.20
v2.2.21
v2.2.22
v2.2.23
v2.2.24
v2.2.25
v2.2.26
v2.2.27
v2.2.28
v2.2.29
v2.2.3
v2.2.30
v2.2.31
v2.2.32
v2.2.33
v2.2.34
v2.2.35
v2.2.36
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3-alpha-1
v2.3-alpha-2
v2.3-alpha-3
v2.3-alpha-4
v2.3-alpha-5
v2.3-alpha-6
v2.3-alpha-7
v2.3-alpha-8
v2.3-beta-1
v2.3-beta-2
v2.3-beta-3
v2.3-beta-4
v2.3-beta-5
v2.3-rc-1
v2.3-rc-2
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.4-alpha-1
v2.4-alpha-2
v2.4-beta-1
v2.4-beta-2
v2.4-beta-3
v2.4-beta-4
v2.4-rc-1
v2.4-rc-3
v2.4-rc-4
v2.4-rc-5
v2.4-rc-6
v2.4-rc-7
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.5-alpha-1
v2.5-alpha-2
v2.5-alpha-3
v2.5-alpha-4
v2.5.0
v2.5.0-alpha.5
v2.5.0-alpha.6
v2.5.0-beta.1
v2.5.0-beta.2
v2.5.0-rc.1
v2.5.0-rc.2
v2.5.0-rc.4
v2.5.1
v2.5.10
v2.5.11
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.6.0
v2.6.0-alpha.1
v2.6.0-alpha.2
v2.6.0-alpha.3
v2.6.0-alpha.4
v2.6.0-beta.1
v2.6.0-beta.2
v2.6.0-beta.3
v2.6.0-beta.4
v2.6.0-beta.5
v2.6.0-beta.6
v2.6.0-beta.7
v2.6.0-rc.1
v2.6.0-rc.2
v2.6.0-rc.3
v2.6.0-rc.4
v2.6.0-rc.5
v2.6.0-rc.6
v2.6.0-rc.7
v2.6.0-rc.8
v2.6.0-rc.9
v2.6.1
v2.6.10
v2.6.11
v2.6.12
v2.6.14
v2.6.15
v2.6.16
v2.6.17
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.7.0
v2.7.0-alpha.1
v2.7.0-alpha.2
v2.7.0-alpha.3
v2.7.0-beta.1
v2.7.0-beta.2
v2.7.0-beta.3
v2.7.0-rc.1
v2.7.0-rc.2
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7

v3.*

v3.0.0-alpha.5