BigBlueButton 2.2.29 E-mail Validation Bypass

`# Title: BigBlueButton E-mail Validation Bypass  
  
# Google Dork: N/A  
  
# Date: 24.11.2020  
  
# Author: Seccops (https://seccops.com)  
  
# Vendor Homepage: bigbluebutton.org  
  
# Version: 2.2.29 and previous versions  
  
# CVE: CVE-2020-29043  
  
  
  
  
  
=== Summary ===  
  
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is  
able to view an "account_activations/edit?token=" URI, the attacker can  
create an approved user account associated with an email address that has an  
arbitrary domain name.  
  
  
  
  
  
=== Description ===  
  
  
  
Steps:  
  
The verification token used in mail activation is sent with the GET method,  
so this token information is also seen by the attacker. Mail verification  
can be performed with the token information obtained.  
  
  
  
1) Create a new user account on the portal and enter an email address of  
your choice (arbitrary). https://imgur.com/a/gkHIRld  
  
  
  
2) Login to the created account. https://imgur.com/a/ZdwZTYg  
  
  
  
3) After logging in, you will see the screen below. Copy the token in the  
link "https://site.com/b/account_activations/edit?token=TOKEN_IS_HERE" and  
replace it with "TOKEN_IS_HERE" and go to the link.  
https://imgur.com/a/Mo8Fsqc  
  
  
  
4) Thus, you will see that your account has been approved.  
https://imgur.com/a/YaBrT1w  
  
  
  
The attacker can arbitrarily register on the portal with the e-mail address  
of a company he wants and use the user account by unauthorized approval of  
that e-mail address.  
  
  
  
  
  
=== Impact ===  
  
Social engineering attacks can be made with various scenarios, crimes can be  
committed and these crimes remain in the approved mail account.  
  
  
  
  
  
`