Search criteria
38 vulnerabilities found for Apache OpenMeetings by Apache Software Foundation
CVE-2024-54676 (GCVE-0-2024-54676)
Vulnerability from cvelistv5 – Published: 2025-01-08 08:40 – Updated: 2025-01-08 14:00
VLAI?
Title
Apache OpenMeetings: Deserialisation of untrusted data in cluster mode
Summary
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0
Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.1 , < 8.0.0
(semver)
|
Credits
m0d9 from Tencent Yunding Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-08T09:02:51.250Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/08/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-54676",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T14:00:24.422606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T14:00:52.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "8.0.0",
"status": "affected",
"version": "2.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "m0d9 from Tencent Yunding Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVendor: The Apache Software Foundation\u003c/p\u003e\u003cp\u003eVersions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0\u003c/p\u003eDescription: Default clustering instructions at \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://openmeetings.apache.org/Clustering.html\"\u003ehttps://openmeetings.apache.org/Clustering.html\u003c/a\u003e\u0026nbsp;doesn\u0027t specify white/black lists for OpenJPA this leads to possible \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edeserialisation of untrusted data\u003c/span\u003e.\u003cbr\u003eUsers are recommended to upgrade to version 8.0.0 and \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eupdate their startup scripts to include the relevant \u003c/span\u003e\u003ccode\u003e\u0027openjpa.serialization.class.blacklist\u0027 and \u0027openjpa.serialization.class.whitelist\u0027 configurations as shown in the documentation\u003c/code\u003e."
}
],
"value": "Vendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0\n\nDescription: Default clustering instructions at https://openmeetings.apache.org/Clustering.html \u00a0doesn\u0027t specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.\nUsers are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant \u0027openjpa.serialization.class.blacklist\u0027 and \u0027openjpa.serialization.class.whitelist\u0027 configurations as shown in the documentation."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T08:40:03.705Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95"
}
],
"source": {
"defect": [
"OPENMEETINGS-2787"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: Deserialisation of untrusted data in cluster mode",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-54676",
"datePublished": "2025-01-08T08:40:03.705Z",
"dateReserved": "2024-12-05T04:43:41.354Z",
"dateUpdated": "2025-01-08T14:00:52.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28936 (GCVE-0-2023-28936)
Vulnerability from cvelistv5 – Published: 2023-05-12 07:45 – Updated: 2024-10-10 20:30
VLAI?
Title
Apache OpenMeetings: insufficient check of invitation hash
Summary
Attacker can access arbitrary recording/room
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-697 - Incorrect Comparison
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:39.125Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/y6vng44c22ll221rtvsv208x1pbjmdoc"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-28936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T20:26:04.896745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T20:30:03.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Attacker can access arbitrary recording/room\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions\u0026nbsp;Affected: Apache OpenMeetings from 2.0.0 before 7.1.0\u003cbr\u003e"
}
],
"value": "Attacker can access arbitrary recording/room\n\nVendor: The Apache Software Foundation\n\nVersions\u00a0Affected: Apache OpenMeetings from 2.0.0 before 7.1.0\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697 Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:45:04.835Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/y6vng44c22ll221rtvsv208x1pbjmdoc"
}
],
"source": {
"defect": [
"OPENMEETINGS-2762"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: insufficient check of invitation hash",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-28936",
"datePublished": "2023-05-12T07:45:04.835Z",
"dateReserved": "2023-03-28T15:43:06.369Z",
"dateUpdated": "2024-10-10T20:30:03.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29032 (GCVE-0-2023-29032)
Vulnerability from cvelistv5 – Published: 2023-05-12 07:43 – Updated: 2024-10-10 19:48
VLAI?
Title
Apache OpenMeetings: allows bypass authentication
Summary
An attacker that has gained access to certain private information can use this to act as other user.
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.1.3 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/j2d6mg3rzcphfd8vvvk09d8p4o9lvnqp"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "3.1.3",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:44:48.609636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:48:37.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "3.1.3",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker that has gained access to certain private information can use this to act as other user.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0"
}
],
"value": "An attacker that has gained access to certain private information can use this to act as other user.\n\nVendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:43:30.483Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/j2d6mg3rzcphfd8vvvk09d8p4o9lvnqp"
}
],
"source": {
"defect": [
"OPENMEETINGS-2764"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: allows bypass authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-29032",
"datePublished": "2023-05-12T07:43:30.483Z",
"dateReserved": "2023-03-30T04:39:06.692Z",
"dateUpdated": "2024-10-10T19:48:37.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29246 (GCVE-0-2023-29246)
Vulnerability from cvelistv5 – Published: 2023-05-12 07:43 – Updated: 2024-10-10 19:35
VLAI?
Title
Apache OpenMeetings: allows null-byte Injection
Summary
An attacker who has gained access to an admin account can perform RCE via null-byte injection
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:16.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/230plvhbdx26m43b0sy942wlwt6kkmmr"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:34:24.542931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:35:57.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker who has gained access to an admin account can perform RCE via null-byte injection\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0"
}
],
"value": "An attacker who has gained access to an admin account can perform RCE via null-byte injection\n\nVendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:43:20.422Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/230plvhbdx26m43b0sy942wlwt6kkmmr"
}
],
"source": {
"defect": [
"OPENMEETINGS-2765"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: allows null-byte Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-29246",
"datePublished": "2023-05-12T07:43:20.422Z",
"dateReserved": "2023-04-04T15:31:03.257Z",
"dateUpdated": "2024-10-10T19:35:57.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28326 (GCVE-0-2023-28326)
Vulnerability from cvelistv5 – Published: 2023-03-28 12:36 – Updated: 2024-10-23 15:13
VLAI?
Title
Apache OpenMeetings: allows user impersonation
Summary
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0
Description: Attacker can elevate their privileges in any room
Severity ?
No CVSS data available.
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.0.0
(semver)
|
Credits
Dennis Zimmt
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.0.0",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-28326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:13:01.067926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:13:50.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.0.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dennis Zimmt"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVendor: The Apache Software Foundation\u003c/p\u003e\u003cp\u003eVersions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0\u003c/p\u003e\u003cp\u003eDescription: Attacker can elevate their privileges in any room\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Vendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0\n\nDescription: Attacker can elevate their privileges in any room\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T12:36:11.566Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9"
}
],
"source": {
"defect": [
"OPENMEETINGS-2739"
],
"discovery": "UNKNOWN"
},
"title": "Apache OpenMeetings: allows user impersonation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-28326",
"datePublished": "2023-03-28T12:36:11.566Z",
"dateReserved": "2023-03-14T09:26:00.600Z",
"dateUpdated": "2024-10-23T15:13:50.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27576 (GCVE-0-2021-27576)
Vulnerability from cvelistv5 – Published: 2021-03-15 09:05 – Updated: 2025-02-13 16:27
VLAI?
Title
Apache OpenMeetings: bandwidth can be overloaded with public web service
Summary
If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0
Severity ?
No CVSS data available.
CWE
- Server bandwidth overload
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
4.0.0 , < Apache OpenMeetings 4*
(custom)
Affected: Apache OpenMeetings 5 , ≤ 5.1.0 (custom) |
Credits
This issue was identified by Trung Le, Chi Tran, Linh Cua
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:09.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache OpenMeetings 4*",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.1.0",
"status": "affected",
"version": "Apache OpenMeetings 5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was identified by Trung Le, Chi Tran, Linh Cua"
}
],
"descriptions": [
{
"lang": "en",
"value": "If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server bandwidth overload",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T21:27:40.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache OpenMeetings: bandwidth can be overloaded with public web service",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-27576",
"STATE": "PUBLIC",
"TITLE": "Apache OpenMeetings: bandwidth can be overloaded with public web service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "Apache OpenMeetings 4",
"version_value": "4.0.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache OpenMeetings 5",
"version_value": "5.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was identified by Trung Le, Chi Tran, Linh Cua"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server bandwidth overload"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-27576",
"datePublished": "2021-03-15T09:05:17.000Z",
"dateReserved": "2021-02-23T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:56.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1286 (GCVE-0-2018-1286)
Vulnerability from cvelistv5 – Published: 2018-02-28 18:00 – Updated: 2024-09-16 18:07
VLAI?
Summary
In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users.
Severity ?
No CVSS data available.
CWE
- Insufficient Access Controls
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.0.0 - 4.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8%40%3Cuser.openmeetings.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.0.0 - 4.0.1"
}
]
}
],
"datePublic": "2018-02-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Access Controls",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-28T17:57:02",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8%40%3Cuser.openmeetings.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-02-25T00:00:00",
"ID": "CVE-2018-1286",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.0.0 - 4.0.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8@%3Cuser.openmeetings.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1286",
"datePublished": "2018-02-28T18:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T18:07:50.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8736 (GCVE-0-2016-8736)
Vulnerability from cvelistv5 – Published: 2017-10-12 18:00 – Updated: 2024-08-06 02:27
VLAI?
Summary
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
before 3.1.12
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:27:41.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94145"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "before 3.1.12"
}
]
}
],
"datePublic": "2016-07-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-20T19:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94145"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2016-8736",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "before 3.1.12"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne",
"refsource": "MISC",
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94145"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8736",
"datePublished": "2017-10-12T18:00:00",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-08-06T02:27:41.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7663 (GCVE-0-2017-7663)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-17 03:08
VLAI?
Summary
Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0.
Severity ?
No CVSS data available.
CWE
- XSS
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.768Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99577",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "99577",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7663",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99577",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"refsource": "MLIST",
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7663",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-17T03:08:15.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7688 (GCVE-0-2017-7688)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-17 03:02
VLAI?
Summary
Apache OpenMeetings 1.0.0 updates user password in insecure manner.
Severity ?
No CVSS data available.
CWE
- Insecure Password Update
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99586"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 updates user password in insecure manner."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Password Update",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99586"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7688",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 updates user password in insecure manner."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Password Update"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"refsource": "MLIST",
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99586"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7688",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-17T03:02:48.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7680 (GCVE-0-2017-7680)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-16 19:09
VLAI?
Summary
Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains.
Severity ?
No CVSS data available.
CWE
- Insecure crossdomain.xml policy
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/whhibri7ervbjvda"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure crossdomain.xml policy",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/whhibri7ervbjvda"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7680",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure crossdomain.xml policy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy",
"refsource": "MLIST",
"url": "http://markmail.org/message/whhibri7ervbjvda"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7680",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T19:09:47.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7685 (GCVE-0-2017-7685)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-16 16:59
VLAI?
Summary
Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH.
Severity ?
No CVSS data available.
CWE
- Insecure HTTP Methods
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99592"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure HTTP Methods",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-17T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99592"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7685",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure HTTP Methods"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"refsource": "MLIST",
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99592"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7685",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T16:59:04.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7681 (GCVE-0-2017-7681)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-16 18:39
VLAI?
Summary
Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end.
Severity ?
No CVSS data available.
CWE
- SQL injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7681",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"refsource": "MLIST",
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7681",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T18:39:15.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7682 (GCVE-0-2017-7682)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-16 22:09
VLAI?
Summary
Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.
Severity ?
No CVSS data available.
CWE
- Business Logic Bypass
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Business Logic Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7682",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Business Logic Bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"refsource": "MLIST",
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7682",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T22:09:03.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7664 (GCVE-0-2017-7664)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-16 23:36
VLAI?
Summary
Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0.
Severity ?
No CVSS data available.
CWE
- XML Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.1.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:28.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99576",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99576"
},
{
"name": "[user] 20170713 CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/cwr552iapmhukb45"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.1.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "99576",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99576"
},
{
"name": "[user] 20170713 CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/cwr552iapmhukb45"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7664",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99576",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99576"
},
{
"name": "[user] 20170713 CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation",
"refsource": "MLIST",
"url": "http://markmail.org/message/cwr552iapmhukb45"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7664",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T23:36:16.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54676 (GCVE-0-2024-54676)
Vulnerability from nvd – Published: 2025-01-08 08:40 – Updated: 2025-01-08 14:00
VLAI?
Title
Apache OpenMeetings: Deserialisation of untrusted data in cluster mode
Summary
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0
Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.1 , < 8.0.0
(semver)
|
Credits
m0d9 from Tencent Yunding Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-08T09:02:51.250Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/08/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-54676",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T14:00:24.422606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T14:00:52.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "8.0.0",
"status": "affected",
"version": "2.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "m0d9 from Tencent Yunding Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVendor: The Apache Software Foundation\u003c/p\u003e\u003cp\u003eVersions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0\u003c/p\u003eDescription: Default clustering instructions at \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://openmeetings.apache.org/Clustering.html\"\u003ehttps://openmeetings.apache.org/Clustering.html\u003c/a\u003e\u0026nbsp;doesn\u0027t specify white/black lists for OpenJPA this leads to possible \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edeserialisation of untrusted data\u003c/span\u003e.\u003cbr\u003eUsers are recommended to upgrade to version 8.0.0 and \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eupdate their startup scripts to include the relevant \u003c/span\u003e\u003ccode\u003e\u0027openjpa.serialization.class.blacklist\u0027 and \u0027openjpa.serialization.class.whitelist\u0027 configurations as shown in the documentation\u003c/code\u003e."
}
],
"value": "Vendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0\n\nDescription: Default clustering instructions at https://openmeetings.apache.org/Clustering.html \u00a0doesn\u0027t specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.\nUsers are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant \u0027openjpa.serialization.class.blacklist\u0027 and \u0027openjpa.serialization.class.whitelist\u0027 configurations as shown in the documentation."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T08:40:03.705Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95"
}
],
"source": {
"defect": [
"OPENMEETINGS-2787"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: Deserialisation of untrusted data in cluster mode",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-54676",
"datePublished": "2025-01-08T08:40:03.705Z",
"dateReserved": "2024-12-05T04:43:41.354Z",
"dateUpdated": "2025-01-08T14:00:52.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28936 (GCVE-0-2023-28936)
Vulnerability from nvd – Published: 2023-05-12 07:45 – Updated: 2024-10-10 20:30
VLAI?
Title
Apache OpenMeetings: insufficient check of invitation hash
Summary
Attacker can access arbitrary recording/room
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-697 - Incorrect Comparison
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:39.125Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/y6vng44c22ll221rtvsv208x1pbjmdoc"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-28936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T20:26:04.896745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T20:30:03.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Attacker can access arbitrary recording/room\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions\u0026nbsp;Affected: Apache OpenMeetings from 2.0.0 before 7.1.0\u003cbr\u003e"
}
],
"value": "Attacker can access arbitrary recording/room\n\nVendor: The Apache Software Foundation\n\nVersions\u00a0Affected: Apache OpenMeetings from 2.0.0 before 7.1.0\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697 Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:45:04.835Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/y6vng44c22ll221rtvsv208x1pbjmdoc"
}
],
"source": {
"defect": [
"OPENMEETINGS-2762"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: insufficient check of invitation hash",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-28936",
"datePublished": "2023-05-12T07:45:04.835Z",
"dateReserved": "2023-03-28T15:43:06.369Z",
"dateUpdated": "2024-10-10T20:30:03.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29032 (GCVE-0-2023-29032)
Vulnerability from nvd – Published: 2023-05-12 07:43 – Updated: 2024-10-10 19:48
VLAI?
Title
Apache OpenMeetings: allows bypass authentication
Summary
An attacker that has gained access to certain private information can use this to act as other user.
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.1.3 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/j2d6mg3rzcphfd8vvvk09d8p4o9lvnqp"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "3.1.3",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:44:48.609636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:48:37.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "3.1.3",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker that has gained access to certain private information can use this to act as other user.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0"
}
],
"value": "An attacker that has gained access to certain private information can use this to act as other user.\n\nVendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:43:30.483Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/j2d6mg3rzcphfd8vvvk09d8p4o9lvnqp"
}
],
"source": {
"defect": [
"OPENMEETINGS-2764"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: allows bypass authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-29032",
"datePublished": "2023-05-12T07:43:30.483Z",
"dateReserved": "2023-03-30T04:39:06.692Z",
"dateUpdated": "2024-10-10T19:48:37.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29246 (GCVE-0-2023-29246)
Vulnerability from nvd – Published: 2023-05-12 07:43 – Updated: 2024-10-10 19:35
VLAI?
Title
Apache OpenMeetings: allows null-byte Injection
Summary
An attacker who has gained access to an admin account can perform RCE via null-byte injection
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:16.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/230plvhbdx26m43b0sy942wlwt6kkmmr"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:34:24.542931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:35:57.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker who has gained access to an admin account can perform RCE via null-byte injection\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0"
}
],
"value": "An attacker who has gained access to an admin account can perform RCE via null-byte injection\n\nVendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:43:20.422Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/230plvhbdx26m43b0sy942wlwt6kkmmr"
}
],
"source": {
"defect": [
"OPENMEETINGS-2765"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: allows null-byte Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-29246",
"datePublished": "2023-05-12T07:43:20.422Z",
"dateReserved": "2023-04-04T15:31:03.257Z",
"dateUpdated": "2024-10-10T19:35:57.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28326 (GCVE-0-2023-28326)
Vulnerability from nvd – Published: 2023-03-28 12:36 – Updated: 2024-10-23 15:13
VLAI?
Title
Apache OpenMeetings: allows user impersonation
Summary
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0
Description: Attacker can elevate their privileges in any room
Severity ?
No CVSS data available.
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.0.0
(semver)
|
Credits
Dennis Zimmt
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.0.0",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-28326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:13:01.067926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:13:50.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.0.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dennis Zimmt"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVendor: The Apache Software Foundation\u003c/p\u003e\u003cp\u003eVersions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0\u003c/p\u003e\u003cp\u003eDescription: Attacker can elevate their privileges in any room\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Vendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0\n\nDescription: Attacker can elevate their privileges in any room\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T12:36:11.566Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9"
}
],
"source": {
"defect": [
"OPENMEETINGS-2739"
],
"discovery": "UNKNOWN"
},
"title": "Apache OpenMeetings: allows user impersonation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-28326",
"datePublished": "2023-03-28T12:36:11.566Z",
"dateReserved": "2023-03-14T09:26:00.600Z",
"dateUpdated": "2024-10-23T15:13:50.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27576 (GCVE-0-2021-27576)
Vulnerability from nvd – Published: 2021-03-15 09:05 – Updated: 2025-02-13 16:27
VLAI?
Title
Apache OpenMeetings: bandwidth can be overloaded with public web service
Summary
If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0
Severity ?
No CVSS data available.
CWE
- Server bandwidth overload
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
4.0.0 , < Apache OpenMeetings 4*
(custom)
Affected: Apache OpenMeetings 5 , ≤ 5.1.0 (custom) |
Credits
This issue was identified by Trung Le, Chi Tran, Linh Cua
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:09.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache OpenMeetings 4*",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.1.0",
"status": "affected",
"version": "Apache OpenMeetings 5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was identified by Trung Le, Chi Tran, Linh Cua"
}
],
"descriptions": [
{
"lang": "en",
"value": "If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server bandwidth overload",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T21:27:40.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache OpenMeetings: bandwidth can be overloaded with public web service",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-27576",
"STATE": "PUBLIC",
"TITLE": "Apache OpenMeetings: bandwidth can be overloaded with public web service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "Apache OpenMeetings 4",
"version_value": "4.0.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache OpenMeetings 5",
"version_value": "5.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was identified by Trung Le, Chi Tran, Linh Cua"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server bandwidth overload"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-27576",
"datePublished": "2021-03-15T09:05:17.000Z",
"dateReserved": "2021-02-23T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:56.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1286 (GCVE-0-2018-1286)
Vulnerability from nvd – Published: 2018-02-28 18:00 – Updated: 2024-09-16 18:07
VLAI?
Summary
In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users.
Severity ?
No CVSS data available.
CWE
- Insufficient Access Controls
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.0.0 - 4.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8%40%3Cuser.openmeetings.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.0.0 - 4.0.1"
}
]
}
],
"datePublic": "2018-02-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Access Controls",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-28T17:57:02",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8%40%3Cuser.openmeetings.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-02-25T00:00:00",
"ID": "CVE-2018-1286",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.0.0 - 4.0.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8@%3Cuser.openmeetings.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1286",
"datePublished": "2018-02-28T18:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T18:07:50.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8736 (GCVE-0-2016-8736)
Vulnerability from nvd – Published: 2017-10-12 18:00 – Updated: 2024-08-06 02:27
VLAI?
Summary
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
before 3.1.12
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:27:41.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94145"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "before 3.1.12"
}
]
}
],
"datePublic": "2016-07-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-20T19:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94145"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2016-8736",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "before 3.1.12"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne",
"refsource": "MISC",
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94145"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8736",
"datePublished": "2017-10-12T18:00:00",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-08-06T02:27:41.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7663 (GCVE-0-2017-7663)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-17 03:08
VLAI?
Summary
Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0.
Severity ?
No CVSS data available.
CWE
- XSS
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.768Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99577",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "99577",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7663",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99577",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"refsource": "MLIST",
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7663",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-17T03:08:15.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7688 (GCVE-0-2017-7688)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-17 03:02
VLAI?
Summary
Apache OpenMeetings 1.0.0 updates user password in insecure manner.
Severity ?
No CVSS data available.
CWE
- Insecure Password Update
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99586"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 updates user password in insecure manner."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Password Update",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99586"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7688",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 updates user password in insecure manner."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Password Update"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"refsource": "MLIST",
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99586"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7688",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-17T03:02:48.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7680 (GCVE-0-2017-7680)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-16 19:09
VLAI?
Summary
Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains.
Severity ?
No CVSS data available.
CWE
- Insecure crossdomain.xml policy
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/whhibri7ervbjvda"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure crossdomain.xml policy",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/whhibri7ervbjvda"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7680",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure crossdomain.xml policy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy",
"refsource": "MLIST",
"url": "http://markmail.org/message/whhibri7ervbjvda"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7680",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T19:09:47.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7685 (GCVE-0-2017-7685)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-16 16:59
VLAI?
Summary
Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH.
Severity ?
No CVSS data available.
CWE
- Insecure HTTP Methods
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99592"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure HTTP Methods",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-17T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99592"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7685",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure HTTP Methods"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"refsource": "MLIST",
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99592"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7685",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T16:59:04.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7681 (GCVE-0-2017-7681)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-16 18:39
VLAI?
Summary
Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end.
Severity ?
No CVSS data available.
CWE
- SQL injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7681",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"refsource": "MLIST",
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7681",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T18:39:15.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7682 (GCVE-0-2017-7682)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-16 22:09
VLAI?
Summary
Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.
Severity ?
No CVSS data available.
CWE
- Business Logic Bypass
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Business Logic Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7682",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Business Logic Bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"refsource": "MLIST",
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7682",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T22:09:03.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7664 (GCVE-0-2017-7664)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-16 23:36
VLAI?
Summary
Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0.
Severity ?
No CVSS data available.
CWE
- XML Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.1.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:28.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99576",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99576"
},
{
"name": "[user] 20170713 CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/cwr552iapmhukb45"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.1.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XML Validation",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "99576",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99576"
},
{
"name": "[user] 20170713 CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/cwr552iapmhukb45"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7664",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XML Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99576",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99576"
},
{
"name": "[user] 20170713 CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation",
"refsource": "MLIST",
"url": "http://markmail.org/message/cwr552iapmhukb45"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7664",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T23:36:16.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}