Home > Vulnerability Database > CVE-2022-41960

Mend.io Vulnerability Database

CVE-2022-41960

Date: December 15, 2022

BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to "validateAuthToken" using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.

Language: JS

Severity Score

4.3

Related Resources (5)

Url: https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3

Url: https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm

Url: https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-41960

Url: https://www.mend.io/vulnerability-database/CVE-2022-41960

Severity Score

4.3

Weakness Type (CWE)

Insufficient Verification of Data Authenticity

CWE-345

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2022-41960

Date: December 15, 2022

Language: JS

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?