PT-2020-17085 · Bigbluebutton · Bigbluebutton

Published

2020-11-26

Updated

2021-07-21

CVE-2020-29043

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions BigBlueButton versions through 2.2.29

Description An issue was discovered in BigBlueButton where an attacker can create an approved user account associated with an email address that has an arbitrary domain name when able to view an "account activations/edit?token=" URI.

Recommendations For BigBlueButton versions through 2.2.29, as a temporary workaround, consider restricting access to the "account activations/edit?token=" URI until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2020-29043

Affected Products

Bigbluebutton

PT-2020-17085 · Bigbluebutton · Bigbluebutton

CVE-2020-29043

Weakness Enumeration

Related Identifiers

Affected Products

References · 8