Package: (BigBlueButton) Title: Improper access control to polling votes Severity: Moderate (6.5/10) CVSS v3 base metrics: - Attack vector: Network - Attack complexity: Low - Privileges required: Low - User interaction: None - Scope: Unchanged - Confidentiality: High - Integrity: None - Availability: None CVE ID: CVE-2022-23490 Affected versions: Patched versions: Impact: Meetings with polls are affected. The attacker, a meeting participant, can gain subscribe to the collection. This does not update the client UI but gives the attacker access to the contents of the collection, including the individual poll responses. Workarounds: No workarounds. References: - Enforce permission check, allowing only allowed users to access the collection . - Patch in BigBlueButton 2.4.0 For more information: Email security at bigbluebutton.org Credits: This vulnerability was examined by Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University.