Security Vulnerabilities
Please note that binary patches are not produced for individual vulnerabilities. To obtain the binary fix for a particular vulnerability you should upgrade to an Apache OpenMeetings version where that vulnerability has been fixed.
For more information about reporting vulnerabilities, see the Apache Security Team page.
Vulnerability handling guide
REFERENCES -> permalink to the announce email in archives
Going forward, please include the product and version information in the description itself as well as in the "[PRODUCT]" and "[VERSION]" lines in your submissions. While this may seem redundant, including the information in both places satisfies different use cases and supports automation.
Reporting New Security Problems
Please report any security errors to security@openmeetings.apache.org
Please NOTE: only security issues should be reported to this list.
CVE-2023-28936: Apache OpenMeetings: insufficient check of invitation hash
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: from 2.0.0 before 7.1.0
Description: Attacker can access arbitrary recording/room
CVE-2023-28936
The issue was fixed in 7.1.0
All users are recommended to upgrade to Apache OpenMeetings 7.1.0
Credit: This issue was identified by Stefan Schiller
CVE-2023-29032: Apache OpenMeetings: allows bypass authentication
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: from 3.1.3 before 7.1.0
Description: An attacker that has gained access to certain private information can use this to act as other user.
CVE-2023-29032
The issue was fixed in 7.1.0
All users are recommended to upgrade to Apache OpenMeetings 7.1.0
Credit: This issue was identified by Stefan Schiller
CVE-2023-29246: Apache OpenMeetings: allows null-byte Injection
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: from 2.0.0 before 7.0.0
Description: An attacker who has gained access to an admin account can perform RCE via null-byte injection
CVE-2023-29246
The issue was fixed in 7.1.0
All users are recommended to upgrade to Apache OpenMeetings 7.1.0
Credit: This issue was identified by Stefan Schiller
CVE-2023-28326: Apache OpenMeetings: allows user impersonation
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: from 2.0.0 before 7.0.0
Description: Attacker can elevate their privileges in any room
CVE-2023-28326
The issue was fixed in 7.0.0
All users are recommended to upgrade to Apache OpenMeetings 7.0.0
Credit: This issue was identified by Dennis Zimmt
CVE-2021-27576 - Apache OpenMeetings: bandwidth can be overloaded with public web service
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected: from 4.0.0 before 6.0.0
Description: NetTest web service can be used to overload the bandwidth of the server
CVE-2021-27576
The issue was fixed in 6.0.0
All users are recommended to upgrade to Apache OpenMeetings 6.0.0
Credit: This issue was identified by Trung Le, Chi Tran, Linh Cua
CVE-2020-13951 - Apache Openmeetings: DoS via public web service
Severity: High
Vendor: The Apache Software Foundation
Versions Affected: from 4.0.0 before 5.0.1
Description: NetTest web service can be used to perform Denial of Service attack
CVE-2020-13951
The issue was fixed in 5.0.1
All users are recommended to upgrade to Apache OpenMeetings 5.0.1
Credit: This issue was identified by Trung Le, Chi Tran, Ngo Van Thien
CVE-2018-1325 - Wicket jQuery UI: XSS while displaying value in WYSIWYG editor
Severity: High
Vendor: wicket-jquery-ui
Versions Affected: <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1
Description: JS code created in WYSIWYG editor will be executed on display
CVE-2018-1325
The issue was fixed in 6.29.1, 7.10.2, 8.0.0-M9.2
All users are recommended to upgrade to Apache OpenMeetings 4.0.3
Credit: This issue was identified by Kamil Sevi
CVE-2017-15719 - Wicket jQuery UI: XSS in WYSIWYG editor
Severity: High
Vendor: wicket-jquery-ui
Versions Affected: <= 6.28.0, <= 7.9.1, <= 8.0.0-M8
Description: Attacker can submit arbitrary JS code to WYSIWYG editor
CVE-2017-15719
The issue was fixed in 6.28.1, 7.9.2, 8.0.0-M8.1
All users are recommended to upgrade to Apache OpenMeetings 4.0.2
Credit: This issue was identified by Sahil Dhar of Security Innovation Inc
CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: from 3.0.0 before 4.0.2
Description: CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users.
CVE-2018-1286
The issue was fixed in 4.0.2
All users are recommended to upgrade to Apache OpenMeetings 4.0.2
Credit: This issue was identified by Sahil Dhar of Security Innovation Inc
CVE-2017-7663 - Apache OpenMeetings - XSS in chat
Severity: High
Vendor: The Apache Software Foundation
Versions Affected: 3.2.0
Description: Both global and Room chat are vulnerable to XSS attack
CVE-2017-7663
The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0
Credit: This issue was identified by Security Innovation
CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation
Severity: High
Vendor: The Apache Software Foundation
Versions Affected: from 3.1.0 before 3.3.0
Description: Uploaded XML documents were not correctly validated
CVE-2017-7664
The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0
Credit: This issue was identified by Security Innovation
CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers
Severity: High
Vendor: The Apache Software Foundation
Versions Affected: from 1.0.0 before 3.3.0
Description: Apache Openmeetings is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks
CVE-2017-7666
The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0
Credit: This issue was identified by Security Innovation
CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords
Severity: High
Vendor: The Apache Software Foundation
Versions Affected: from 1.0.0 before 3.3.0
Description: Apache OpenMeetings uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection
CVE-2017-7673
The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0
Credit: This issue was identified by Security Innovation
CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected: from 1.0.0 before 3.3.0
Description: Apache OpenMeetings has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains.
CVE-2017-7680
The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0
Credit: This issue was identified by Security Innovation
CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services
Severity: High
Vendor: The Apache Software Foundation
Versions Affected: from 1.0.0 before 3.3.0
Description: Apache OpenMeetings is vulnerable to SQL injection This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end
CVE-2017-7681
The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0
Credit: This issue was identified by Security Innovation
CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass
Severity: Medium
Vendor: The Apache Software Foundation
Versions Affected: 3.2.0
Description: Apache OpenMeetings is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.
CVE-2017-7682
The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0
Credit: This issue was identified by Security Innovation
CVE-2017-7683 - Apache OpenMeetings - Information Disclosure
Severity: Lowest
Vendor: The Apache Software Foundation
Versions Affected: from 1.0.0 before 3.3.0
Description: Apache OpenMeetings displays Tomcat version and detailed error stack trace which is not secure.
CVE-2017-7683
The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0
Credit: This issue was identified by Security Innovation
CVE-2017-7684 - Apache OpenMeetings - Insecure File Upload
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected: from 1.0.0 before 3.3.0
Description: Apache OpenMeetings doesn't check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server
CVE-2017-7684
The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0
Credit: This issue was identified by Security Innovation
CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods
Severity: Lowest
Vendor: The Apache Software Foundation
Versions Affected: from 1.0.0 before 3.3.0
Description: Apache OpenMeetingsrespond to the following insecure HTTP Methods: PUT, DELETE, HEAD, and PATCH.
CVE-2017-7685
The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0
Credit: This issue was identified by Security Innovation
CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected: from 1.0.0 before 3.3.0
Description: Apache OpenMeetings updates user password in insecure manner.
CVE-2017-7688
The issue was fixed in 3.3.0
All users are recommended to upgrade to Apache OpenMeetings 3.3.0
Credit: This issue was identified by Security Innovation
CVE-2017-5878 - RED5/AMF Unmarshalling RCE
Severity: Critical
Vendor: Red5
Versions Affected: before 3.1.4
Description: The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the classes for which it performs deserialization, which allows remote attackers to execute arbitrary code via crafted serialized Java data.
CVE-2017-5878
The issue was fixed in 3.1.4
All users are recommended to upgrade to Apache OpenMeetings 3.1.4
Credit: This issue was identified by Moritz Bechler
CVE-2016-8736 - Apache Openmeetings RMI Registry Java Deserialization RCE
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: from 3.1.0 before 3.1.2
Description: Apache Openmeetings is vulnerable to Remote Code Execution via RMI deserialization attack
CVE-2016-8736
The issue was fixed in 3.1.2
All users are recommended to upgrade to Apache OpenMeetings 3.1.3
Credit: This issue was identified by Jacob Baines, Tenable Network Security
CVE-2016-3089 - Apache OpenMeetings XSS in SWF panel
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: from 3.1.0 before 3.1.2
Description: The value of the URL's "swf" query parameter is interpolated into the JavaScript tag without being escaped, leading to the reflected XSS.
CVE-2016-3089
All users are recommended to upgrade to Apache OpenMeetings 3.1.2
Credit: This issue was identified by Matthew Daley
CVE-2016-0783 - Predictable password reset token
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: from 1.9.x before 3.1.1
Description: The hash generated by the external password reset function is generated by concatenating the user name and the current system time, and then hashing it using MD5. This is highly predictable and can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings user.
CVE-2016-0783
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
CVE-2016-0784 - ZIP file path traversal
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: from 1.9.x before 3.1.1
Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially crafted file names within ZIP archives. By uploading an archive containing a file named ../../../public/hello.txt will write the file “hello.txt” to the http://domain:5080/openmeetings/public/ directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd party integrated executable) with a shell script, which would be executed the next time an image file is uploaded and imagemagick is invoked.
CVE-2016-0784
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
CVE-2016-2163 - Stored Cross Site Scripting in Event description
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: from 1.9.x before 3.1.1
Description: When creating an event, it is possible to create clickable URL links in the event description. These links will be present inside the event details once a participant enters the room via the event. It is possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard to tell if the link is legit or not.
CVE-2016-2163
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
CVE-2016-2164 - Arbitrary file read via SOAP API
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: from 1.9.x before 3.1.1
Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile methods in the FileService, it is possible to read arbitrary files from the system. This is due to that Java's URL class is used without checking what protocol handler is specified in the API call.
CVE-2016-2164
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh