Unrestricted File Upload in bigbluebutton/bigbluebutton
Nov 2nd 2022
BigBlueButton 2.5.6 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures.
1- Submit the request to insertDocument, specifying the extension:
2- Below we see the log file & the file on the file system:
1- AV distribution
2- Utilizing the file with another vulnerability/issue