CVE-2020-29043

EUVD-2020-21425
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 51%
Affected Products (NVD)
VendorProductVersion
bigbluebuttonbigbluebutton
𝑥
≤ 2.2.29
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html
https://cxsecurity.com/issue/WLB-2020110211
https://github.com/bigbluebutton/bigbluebutton/releases
http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html
https://cxsecurity.com/issue/WLB-2020110211
https://github.com/bigbluebutton/bigbluebutton/releases