CVE-2024-38518
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-38518
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-38518.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-38518
- Aliases
-
- GHSA-4m48-49h7-f3c4
- Published
- 2024-06-28T20:25:40.743Z
- Modified
- 2025-12-05T05:09:14.550470Z
- Severity
-
- 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L CVSS Calculator
- Summary
- bbb-web API additional parameters considered
- Details
-
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.
- Database specific
{ "cwe_ids": [ "CWE-284" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38518.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/38xxx/CVE-2024-38518.json
- https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1
- https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72
- https://github.com/bigbluebutton/bigbluebutton/pull/20279
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4
- https://nvd.nist.gov/vuln/detail/CVE-2024-38518
Affected packages
Git / github.com/bigbluebutton/bigbluebutton
Affected ranges
Affected versions
0.*
0.81-dev-deskshare-fixes-compatible-with-0.8
2.*
2.2-beta-10
2.2-beta-11
2.2-beta-12
2.2-beta-14
2.2-beta-15
2.2-beta-16
2.2-beta-17
2.2-beta-18
2.2-beta-19
2.2-beta-2
2.2-beta-20
2.2-beta-21
2.2-beta-22
2.2-beta-23
2.2-beta-3
2.2-beta-4
2.2-beta-5
2.2-beta-6
2.2-beta-7
2.2-beta-8
2.2-beta-9
2.2-rc-1
2.2-rc-2
2.2-rc-3
2.2-rc-4
2.2-rc-5
2.2-rc-6
2.4-rc-2
2.5.0-rc.3
Other
dcs-2-a
pre-recording-merge
v0.*
v0.7
v0.71
v0.71a
v0.8
v0.81
v0.81b
v0.81rc
v0.81rc2
v0.81rc3
v0.81rc4
v0.81rc5
v0.8b4
v0.8b4.0
v0.8rc2
v0.9.0-beta
v0.9.1
v0.9.2
v1.*
v1.0.0
v1.1.0
v2.*
v2.0-rc2
v2.0-rc3
v2.0-rc4
v2.0-rc5
v2.0-rc6
v2.0-rc7
v2.0.x-html5-beta1
v2.2.0
v2.2.1
v2.2.10
v2.2.11-good
v2.2.12
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.18
v2.2.19
v2.2.2
v2.2.20
v2.2.21
v2.2.22
v2.2.23
v2.2.24
v2.2.25
v2.2.26
v2.2.27
v2.2.28
v2.2.29
v2.2.3
v2.2.30
v2.2.31
v2.2.32
v2.2.33
v2.2.34
v2.2.35
v2.2.36
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.2.9
v2.3-alpha-1
v2.3-alpha-2
v2.3-alpha-3
v2.3-alpha-4
v2.3-alpha-5
v2.3-alpha-6
v2.3-alpha-7
v2.3-alpha-8
v2.3-beta-1
v2.3-beta-2
v2.3-beta-3
v2.3-beta-4
v2.3-beta-5
v2.3-rc-1
v2.3-rc-2
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.4-alpha-1
v2.4-alpha-2
v2.4-beta-1
v2.4-beta-2
v2.4-beta-3
v2.4-beta-4
v2.4-rc-1
v2.4-rc-3
v2.4-rc-4
v2.4-rc-5
v2.4-rc-6
v2.4-rc-7
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.5-alpha-1
v2.5-alpha-2
v2.5-alpha-3
v2.5-alpha-4
v2.5.0
v2.5.0-alpha.5
v2.5.0-alpha.6
v2.5.0-beta.1
v2.5.0-beta.2
v2.5.0-rc.1
v2.5.0-rc.2
v2.5.0-rc.4
v2.5.1
v2.5.10
v2.5.11
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.6.0
v2.6.0-alpha.1
v2.6.0-alpha.2
v2.6.0-alpha.3
v2.6.0-alpha.4
v2.6.0-beta.1
v2.6.0-beta.2
v2.6.0-beta.3
v2.6.0-beta.4
v2.6.0-beta.5
v2.6.0-beta.6
v2.6.0-beta.7
v2.6.0-rc.1
v2.6.0-rc.2
v2.6.0-rc.3
v2.6.0-rc.4
v2.6.0-rc.5
v2.6.0-rc.6
v2.6.0-rc.7
v2.6.0-rc.8
v2.6.0-rc.9
v2.6.1
v2.6.10
v2.6.11
v2.6.12
v2.6.14
v2.6.15
v2.6.16
v2.6.17
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v3.*
v3.0.0-alpha.5