CVE-2020-29043

An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
VendorProductVersion
bigbluebuttonbigbluebutton
𝑥
≤ 2.2.29
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html
https://cxsecurity.com/issue/WLB-2020110211
https://github.com/bigbluebutton/bigbluebutton/releases
http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html
https://cxsecurity.com/issue/WLB-2020110211
https://github.com/bigbluebutton/bigbluebutton/releases