# Title: BigBlueButton Meeting Access Code Brute Force Vulnerability # Date: 24.11.2020 # Author: Seccops (https://seccops.com) # Vendor Homepage: bigbluebutton.org # Version: 2.2.29 and previous versions # CVE: CVE-2020-29042 === Summary === An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code. === Description === BigBlueButton is an open source web conferencing solution for online learning that provides real-time sharing of audio, video, slides, whiteboard, chat and screen. It also allows participants to join the conferences with their webcams and invite guest speakers. An unlimited number of codes can be entered for a meeting that is protected by an access code. This situation causes a brute force attack. The following is a brute force attack for the access code of a meeting with a known meeting link: https://imgur.com/a/jaoOkwT === Impact === An attacker who knows a meeting link protected by an access code; By breaking the access code with brute force attack, it can make social engineering attacks in the meeting, collect all the confidential information/documents that were spoken and shared in the meeting, disturb other users in the meeting or sabotage the meeting.