# Title: BigBlueButton Meeting Access Code Brute Force Vulnerability

# Google Dork: N/A

# Date: 24.11.2020

# Author: Seccops (https://seccops.com)

# Vendor Homepage: bigbluebutton.org

# Version: 2.2.29 and previous versions

# CVE: CVE-2020-29042

 

 

=== Summary ===

An issue was discovered in BigBlueButton through 2.2.29.

A brute-force attack may occur because an unlimited number of codes can be
entered for a meeting that is protected by an access code.

 

 

=== Description ===

BigBlueButton is an open source web conferencing solution for online
learning that provides real-time sharing of audio, video, slides,
whiteboard, chat and screen. It also allows participants to join the
conferences with their webcams and invite guest speakers.

 

An unlimited number of codes can be entered for a meeting that is protected
by an access code. This situation causes a brute force attack.

The following is a brute force attack for the access code of a meeting with
a known meeting link: https://imgur.com/a/jaoOkwT

 

 

=== Impact ===

An attacker who knows a meeting link protected by an access code; By
breaking the access code with brute force attack, it can make social
engineering attacks in the meeting, collect all the confidential
information/documents that were spoken and shared in the meeting, disturb
other users in the meeting or sabotage the meeting.