ID PACKETSTORM:160239 Type packetstorm Reporter Ismail Saygili Modified 2020-11-26T00:00:00
Description
`# Title: BigBlueButton E-mail Validation Bypass
# Google Dork: N/A
# Date: 24.11.2020
# Author: Seccops (https://seccops.com)
# Vendor Homepage: bigbluebutton.org
# Version: 2.2.29 and previous versions
# CVE: CVE-2020-29043
=== Summary ===
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is
able to view an "account_activations/edit?token=" URI, the attacker can
create an approved user account associated with an email address that has an
arbitrary domain name.
=== Description ===
Steps:
The verification token used in mail activation is sent with the GET method,
so this token information is also seen by the attacker. Mail verification
can be performed with the token information obtained.
1) Create a new user account on the portal and enter an email address of
your choice (arbitrary). https://imgur.com/a/gkHIRld
2) Login to the created account. https://imgur.com/a/ZdwZTYg
3) After logging in, you will see the screen below. Copy the token in the
link "https://site.com/b/account_activations/edit?token=TOKEN_IS_HERE" and
replace it with "TOKEN_IS_HERE" and go to the link.
https://imgur.com/a/Mo8Fsqc
4) Thus, you will see that your account has been approved.
https://imgur.com/a/YaBrT1w
The attacker can arbitrarily register on the portal with the e-mail address
of a company he wants and use the user account by unauthorized approval of
that e-mail address.
=== Impact ===
Social engineering attacks can be made with various scenarios, crimes can be
committed and these crimes remain in the approved mail account.
`
{"id": "PACKETSTORM:160239", "type": "packetstorm", "bulletinFamily": "exploit", "title": "BigBlueButton 2.2.29 E-mail Validation Bypass", "description": "", "published": "2020-11-26T00:00:00", "modified": "2020-11-26T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html", "reporter": "Ismail Saygili", "references": [], "cvelist": ["CVE-2020-29043"], "lastseen": "2020-11-28T17:50:47", "viewCount": 141, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-29043"]}], "modified": "2020-11-28T17:50:47", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2020-11-28T17:50:47", "rev": 2}, "vulnersScore": 5.4}, "sourceHref": "https://packetstormsecurity.com/files/download/160239/bbbev229-bypass.txt", "sourceData": "`# Title: BigBlueButton E-mail Validation Bypass \n \n# Google Dork: N/A \n \n# Date: 24.11.2020 \n \n# Author: Seccops (https://seccops.com) \n \n# Vendor Homepage: bigbluebutton.org \n \n# Version: 2.2.29 and previous versions \n \n# CVE: CVE-2020-29043 \n \n \n \n \n \n=== Summary === \n \nAn issue was discovered in BigBlueButton through 2.2.29. When at attacker is \nable to view an \"account_activations/edit?token=\" URI, the attacker can \ncreate an approved user account associated with an email address that has an \narbitrary domain name. \n \n \n \n \n \n=== Description === \n \n \n \nSteps: \n \nThe verification token used in mail activation is sent with the GET method, \nso this token information is also seen by the attacker. Mail verification \ncan be performed with the token information obtained. \n \n \n \n1) Create a new user account on the portal and enter an email address of \nyour choice (arbitrary). https://imgur.com/a/gkHIRld \n \n \n \n2) Login to the created account. https://imgur.com/a/ZdwZTYg \n \n \n \n3) After logging in, you will see the screen below. Copy the token in the \nlink \"https://site.com/b/account_activations/edit?token=TOKEN_IS_HERE\" and \nreplace it with \"TOKEN_IS_HERE\" and go to the link. \nhttps://imgur.com/a/Mo8Fsqc \n \n \n \n4) Thus, you will see that your account has been approved. \nhttps://imgur.com/a/YaBrT1w \n \n \n \nThe attacker can arbitrarily register on the portal with the e-mail address \nof a company he wants and use the user account by unauthorized approval of \nthat e-mail address. \n \n \n \n \n \n=== Impact === \n \nSocial engineering attacks can be made with various scenarios, crimes can be \ncommitted and these crimes remain in the approved mail account. \n \n \n \n \n \n`\n"}
{"cve": [{"lastseen": "2020-12-09T22:03:12", "description": "An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-11-26T18:15:00", "title": "CVE-2020-29043", "type": "cve", "cwe": ["CWE-862"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-29043"], "modified": "2020-11-29T23:49:00", "cpe": ["cpe:/a:bigbluebutton:bigbluebutton:2.2.29"], "id": "CVE-2020-29043", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29043", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:bigbluebutton:bigbluebutton:2.2.29:*:*:*:*:*:*:*"]}]}
