CVE-2020-27608

In BigBlueButton before 2.2.6, uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.

Date published : 2020-10-21

https://github.com/bigbluebutton/bigbluebutton/commit/79361bd4859145f888a88d59d92b1a83ccc8ab23

https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.5…v2.2.6