BigBlueButton E-mail Validation Bypass

2020.11.25
tr Seccops (TR) tr
Risk: Low
Local: No
Remote: Yes
CWE: CWE-862


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Title: BigBlueButton E-mail Validation Bypass # Date: 24.11.2020 # Author: Seccops (https://seccops.com) # Vendor Homepage: bigbluebutton.org # Version: 2.2.29 and previous versions # CVE: CVE-2020-29043 === Summary === An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an "account_activations/edit?token=" URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name. === Description === Steps: The verification token used in mail activation is sent with the GET method, so this token information is also seen by the attacker. Mail verification can be performed with the token information obtained. 1) Create a new user account on the portal and enter an email address of your choice (arbitrary). https://imgur.com/a/gkHIRld 2) Login to the created account. https://imgur.com/a/ZdwZTYg 3) After logging in, you will see the screen below. Copy the token in the link "https://site.com/b/account_activations/edit?token=TOKEN_IS_HERE" and replace it with "TOKEN_IS_HERE" and go to the link. https://imgur.com/a/Mo8Fsqc 4) Thus, you will see that your account has been approved. https://imgur.com/a/YaBrT1w The attacker can arbitrarily register on the portal with the e-mail address of a company he wants and use the user account by unauthorized approval of that e-mail address. === Impact === Social engineering attacks can be made with various scenarios, crimes can be committed and these crimes remain in the approved mail account.


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top