Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
PILOS account takeover through password reset poisoning
Vulnerability Description
PILOS is an open source front-end for BigBlueButton servers with a built-in load balancer. The password reset component deployed within PILOS uses the hostname supplied within the request host header when building a password reset URL. It may be possible to manipulate the URL sent to PILOS users when so that it points to the attackers server thereby disclosing the password reset token if/when the link is followed. This only affects local user accounts and requires the password reset option to be enabled. This issue has been patched in version 2.3.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
输入验证不恰当
Vulnerability Title
BigBlueButton PILOS 安全漏洞
Vulnerability Description
BigBlueButton是BigBlueButton社区的一套开源的Web会议系统。 BigBlueButton PILOS 2.0到2.3版本存在安全漏洞,该漏洞源于构建密码重置 URL 时,PILOS 中部署的密码重置组件使用请求主机标头中提供的主机名,当链接被点击时,可能会发送给 PILOS 用户 URL,使其指向攻击者服务器,从而泄露密码重置令牌。
CVSS Information
N/A
Vulnerability Type
N/A