Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache OpenMeetings version where that vulnerability has been fixed.

For more information about reporting vulnerabilities, see the Apache Security Team page.

Vulnerability handling guide

Reporting New Security Problems

Please report any security errors to security@openmeetings.apache.org

Please NOTE: only security issues should be reported to this list.

CVE-2017-7663 - Apache OpenMeetings - XSS in chat

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 3.2.0

Description: Both global and Room chat are vulnerable to XSS attack
CVE-2017-7663

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation

CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 3.1.0

Description: Uploaded XML documents were not correctly validated
CVE-2017-7664

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation

CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.0.0

Description: Apache Openmeetings is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks
CVE-2017-7666

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation

CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.0.0

Description: Apache OpenMeetings uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection
CVE-2017-7673

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation

CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.0.0

Description: Apache OpenMeetings has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains.
CVE-2017-7680

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation

CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services

Severity: High

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.0.0

Description: Apache OpenMeetings is vulnerable to SQL injection This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end
CVE-2017-7681

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation

CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 3.2.0

Description: Apache OpenMeetings is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.
CVE-2017-7682

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation

CVE-2017-7683 - Apache OpenMeetings - Information Disclosure

Severity: Lowest

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.0.0

Description: Apache OpenMeetings displays Tomcat version and detailed error stack trace which is not secure.
CVE-2017-7683

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation

CVE-2017-7684 - Apache OpenMeetings - Insecure File Upload

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.0.0

Description: Apache OpenMeetings doesn't check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server
CVE-2017-7684

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation

CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods

Severity: Lowest

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.0.0

Description: Apache OpenMeetingsrespond to the following insecure HTTP Methods: PUT, DELETE, HEAD, and PATCH.
CVE-2017-7685

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation

CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.0.0

Description: Apache OpenMeetings updates user password in insecure manner.
CVE-2017-7688

The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0

Credit: This issue was identified by Security Innovation

CVE-2017-5878 - RED5/AMF Unmarshalling RCE

Severity: Critical

Vendor: Red5

Versions Affected: Apache OpenMeetings 3.1.3 and earlier

Description: The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.
CVE-2017-5878

The issue was fixed in 3.1.4
All users are recommended to upgrade to Apache OpenMeetings 3.1.4

Credit: This issue was identified by Moritz Bechler

CVE-2016-8736 - Apache Openmeetings RMI Registry Java Deserialization RCE

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 3.1.0

Description: Apache Openmeetings is vulnerable to Remote Code Execution via RMI deserialization attack
CVE-2016-8736

The issue was fixed in 3.1.2
All users are recommended to upgrade to Apache OpenMeetings 3.1.3

Credit: This issue was identified by Jacob Baines, Tenable Network Security

CVE-2016-3089 - Apache OpenMeetings XSS in SWF panel

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 3.1.0

Description: The value of the URL's "swf" query parameter is interpolated into the JavaScript tag without being escaped, leading to the reflected XSS.
CVE-2016-3089

All users are recommended to upgrade to Apache OpenMeetings 3.1.2

Credit: This issue was identified by Matthew Daley

CVE-2016-0783 - Predictable password reset token

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0

Description: The hash generated by the external password reset function is generated by concatenating the user name and the current system time, and then hashing it using MD5. This is highly predictable and can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings user.
CVE-2016-0783

All users are recommended to upgrade to Apache OpenMeetings 3.1.1

Credit: This issue was identified by Andreas Lindh

CVE-2016-0784 - ZIP file path traversal

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0

Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially crafted file names within ZIP archives. By uploading an archive containing a file named ../../../public/hello.txt will write the file “hello.txt” to the http://domain:5080/openmeetings/public/ directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd party integrated executable) with a shell script, which would be executed the next time an image file is uploaded and imagemagick is invoked.
CVE-2016-0784

All users are recommended to upgrade to Apache OpenMeetings 3.1.1

Credit: This issue was identified by Andreas Lindh

CVE-2016-2163 - Stored Cross Site Scripting in Event description

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7

Description: When creating an event, it is possible to create clickable URL links in the event description. These links will be present inside the event details once a participant enters the room via the event. It is possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard to tell if the link is legit or not.
CVE-2016-2163

All users are recommended to upgrade to Apache OpenMeetings 3.1.1

Credit: This issue was identified by Andreas Lindh

CVE-2016-2164 - Arbitrary file read via SOAP API

Severity: Critical

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7

Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile methods in the FileService, it is possible to read arbitrary files from the system. This is due to that Java's URL class is used without checking what protocol handler is specified in the API call.
CVE-2016-2164

All users are recommended to upgrade to Apache OpenMeetings 3.1.1

Credit: This issue was identified by Andreas Lindh

Back to top

Apache OpenMeetings, OpenMeetings, Apache, the Apache feather, and the Apache OpenMeetings project logo

are trademarks of the Apache Software Foundation.