CVE-2022-41961— BigBlueButton subject to Ineffective user bans
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-41961
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
BigBlueButton subject to Ineffective user bans
Source: NVD (National Vulnerability Database)
Vulnerability Description
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
源验证错误
Source: NVD (National Vulnerability Database)
Vulnerability Title
BigBlueButton 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
BigBlueButton是BigBlueButton社区的一套开源的Web会议系统。 BigBlueButton 2.4-rc-6 之前版本存在访问控制错误漏洞,该漏洞源于受到无效用户禁令的约束,攻击者利用该漏洞可以注册多个用户,并与其中之一一起加入会议。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| bigbluebutton | bigbluebutton | < v2.4-rc-6 | - |
II. Public POCs for CVE-2022-41961
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-41961
请登录查看更多情报信息。
Same Patch Batch · bigbluebutton · 2022-12-16 · 5 CVEs total
| CVE-2022-41964 | 5.7 MEDIUM | BigBlueButton contains Response leaks in anonymous polls |
| CVE-2022-23490 | 4.3 MEDIUM | Improper access control to polling votes |
| CVE-2022-41962 | 2.7 LOW | BigBlueButton contains Incorrect Authorization for setting emoji status |
| CVE-2022-41963 | 2.7 LOW | BigBlueButton contains Improper Preservation of Permissions for whiteboard |
IV. Related Vulnerabilities
Same product: bigbluebutton
- CVE-2026-41127
BigBlueButton's missing authorization allows viewer to injec - CVE-2026-41126
BigBlueButton has Open Redirect through bigbluebutton/api/jo - CVE-2026-27736
BigBlueButton has Open Redirect vulnerability in ApiControll - CVE-2026-27467
BigBlueButton: Audio from participants to the server initial - CVE-2026-27466
BigBlueButton: Exposed ClamAV port enables Denial of Service
Same vendor: bigbluebutton
- CVE-2026-41127
BigBlueButton's missing authorization allows viewer to injec - CVE-2026-41126
BigBlueButton has Open Redirect through bigbluebutton/api/jo - CVE-2026-27736
BigBlueButton has Open Redirect vulnerability in ApiControll - CVE-2026-27467
BigBlueButton: Audio from participants to the server initial - CVE-2026-27466
BigBlueButton: Exposed ClamAV port enables Denial of Service
Same weakness: CWE-346
- CVE-2026-6508
RCE in TUBITAK BILGEM's Liderahenk - CVE-2026-43870
Apache Thrift: Node.js web_server.js multi-vulnerability - CVE-2026-7439
AgentFlow Local Web API Content-Type Validation Bypass - CVE-2026-41398
OpenClaw - Unauthorized Agent Request Dispatch via Untrusted - CVE-2026-41393
OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance an
V. Comments for CVE-2022-41961
No comments yet