BigBlueButton 2.2.25 File Disclosure / Server-Side Request Forgery

Posted on 21 October 2020

RedTeam Pentesting discovered a vulnerability in the BigBlueButton web conferencing system version 2.2.25 that allows participants of a conference with permissions to upload presentations to read arbitrary files from the file system and perform server-side requests. This leads to administrative access to the BigBlueButton instance.