Search criteria
38 vulnerabilities found for Apache OpenMeetings by Apache Software Foundation
CVE-2024-54676 (GCVE-0-2024-54676)
Vulnerability from cvelistv5 – Published: 2025-01-08 08:40 – Updated: 2025-01-08 14:00
VLAI?
Summary
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0
Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.1 , < 8.0.0
(semver)
|
Credits
m0d9 from Tencent Yunding Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-08T09:02:51.250Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/08/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-54676",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T14:00:24.422606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T14:00:52.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "8.0.0",
"status": "affected",
"version": "2.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "m0d9 from Tencent Yunding Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVendor: The Apache Software Foundation\u003c/p\u003e\u003cp\u003eVersions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0\u003c/p\u003eDescription: Default clustering instructions at \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://openmeetings.apache.org/Clustering.html\"\u003ehttps://openmeetings.apache.org/Clustering.html\u003c/a\u003e\u0026nbsp;doesn\u0027t specify white/black lists for OpenJPA this leads to possible \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edeserialisation of untrusted data\u003c/span\u003e.\u003cbr\u003eUsers are recommended to upgrade to version 8.0.0 and \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eupdate their startup scripts to include the relevant \u003c/span\u003e\u003ccode\u003e\u0027openjpa.serialization.class.blacklist\u0027 and \u0027openjpa.serialization.class.whitelist\u0027 configurations as shown in the documentation\u003c/code\u003e."
}
],
"value": "Vendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0\n\nDescription: Default clustering instructions at https://openmeetings.apache.org/Clustering.html \u00a0doesn\u0027t specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.\nUsers are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant \u0027openjpa.serialization.class.blacklist\u0027 and \u0027openjpa.serialization.class.whitelist\u0027 configurations as shown in the documentation."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T08:40:03.705Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95"
}
],
"source": {
"defect": [
"OPENMEETINGS-2787"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: Deserialisation of untrusted data in cluster mode",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-54676",
"datePublished": "2025-01-08T08:40:03.705Z",
"dateReserved": "2024-12-05T04:43:41.354Z",
"dateUpdated": "2025-01-08T14:00:52.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28936 (GCVE-0-2023-28936)
Vulnerability from cvelistv5 – Published: 2023-05-12 07:45 – Updated: 2024-10-10 20:30
VLAI?
Summary
Attacker can access arbitrary recording/room
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-697 - Incorrect Comparison
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:39.125Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/y6vng44c22ll221rtvsv208x1pbjmdoc"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-28936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T20:26:04.896745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T20:30:03.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Attacker can access arbitrary recording/room\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions\u0026nbsp;Affected: Apache OpenMeetings from 2.0.0 before 7.1.0\u003cbr\u003e"
}
],
"value": "Attacker can access arbitrary recording/room\n\nVendor: The Apache Software Foundation\n\nVersions\u00a0Affected: Apache OpenMeetings from 2.0.0 before 7.1.0\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697 Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:45:04.835Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/y6vng44c22ll221rtvsv208x1pbjmdoc"
}
],
"source": {
"defect": [
"OPENMEETINGS-2762"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: insufficient check of invitation hash",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-28936",
"datePublished": "2023-05-12T07:45:04.835Z",
"dateReserved": "2023-03-28T15:43:06.369Z",
"dateUpdated": "2024-10-10T20:30:03.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29032 (GCVE-0-2023-29032)
Vulnerability from cvelistv5 – Published: 2023-05-12 07:43 – Updated: 2024-10-10 19:48
VLAI?
Summary
An attacker that has gained access to certain private information can use this to act as other user.
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.1.3 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/j2d6mg3rzcphfd8vvvk09d8p4o9lvnqp"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "3.1.3",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:44:48.609636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:48:37.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "3.1.3",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker that has gained access to certain private information can use this to act as other user.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0"
}
],
"value": "An attacker that has gained access to certain private information can use this to act as other user.\n\nVendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:43:30.483Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/j2d6mg3rzcphfd8vvvk09d8p4o9lvnqp"
}
],
"source": {
"defect": [
"OPENMEETINGS-2764"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: allows bypass authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-29032",
"datePublished": "2023-05-12T07:43:30.483Z",
"dateReserved": "2023-03-30T04:39:06.692Z",
"dateUpdated": "2024-10-10T19:48:37.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29246 (GCVE-0-2023-29246)
Vulnerability from cvelistv5 – Published: 2023-05-12 07:43 – Updated: 2024-10-10 19:35
VLAI?
Summary
An attacker who has gained access to an admin account can perform RCE via null-byte injection
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:16.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/230plvhbdx26m43b0sy942wlwt6kkmmr"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:34:24.542931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:35:57.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker who has gained access to an admin account can perform RCE via null-byte injection\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0"
}
],
"value": "An attacker who has gained access to an admin account can perform RCE via null-byte injection\n\nVendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:43:20.422Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/230plvhbdx26m43b0sy942wlwt6kkmmr"
}
],
"source": {
"defect": [
"OPENMEETINGS-2765"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: allows null-byte Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-29246",
"datePublished": "2023-05-12T07:43:20.422Z",
"dateReserved": "2023-04-04T15:31:03.257Z",
"dateUpdated": "2024-10-10T19:35:57.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28326 (GCVE-0-2023-28326)
Vulnerability from cvelistv5 – Published: 2023-03-28 12:36 – Updated: 2024-10-23 15:13
VLAI?
Summary
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0
Description: Attacker can elevate their privileges in any room
Severity ?
No CVSS data available.
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.0.0
(semver)
|
Credits
Dennis Zimmt
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.0.0",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-28326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:13:01.067926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:13:50.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.0.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dennis Zimmt"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVendor: The Apache Software Foundation\u003c/p\u003e\u003cp\u003eVersions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0\u003c/p\u003e\u003cp\u003eDescription: Attacker can elevate their privileges in any room\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Vendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0\n\nDescription: Attacker can elevate their privileges in any room\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T12:36:11.566Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9"
}
],
"source": {
"defect": [
"OPENMEETINGS-2739"
],
"discovery": "UNKNOWN"
},
"title": "Apache OpenMeetings: allows user impersonation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-28326",
"datePublished": "2023-03-28T12:36:11.566Z",
"dateReserved": "2023-03-14T09:26:00.600Z",
"dateUpdated": "2024-10-23T15:13:50.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27576 (GCVE-0-2021-27576)
Vulnerability from cvelistv5 – Published: 2021-03-15 09:05 – Updated: 2025-02-13 16:27
VLAI?
Summary
If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0
Severity ?
No CVSS data available.
CWE
- Server bandwidth overload
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
4.0.0 , < Apache OpenMeetings 4*
(custom)
Affected: Apache OpenMeetings 5 , ≤ 5.1.0 (custom) |
Credits
This issue was identified by Trung Le, Chi Tran, Linh Cua
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:09.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache OpenMeetings 4*",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.1.0",
"status": "affected",
"version": "Apache OpenMeetings 5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was identified by Trung Le, Chi Tran, Linh Cua"
}
],
"descriptions": [
{
"lang": "en",
"value": "If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server bandwidth overload",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T21:27:40.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache OpenMeetings: bandwidth can be overloaded with public web service",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-27576",
"STATE": "PUBLIC",
"TITLE": "Apache OpenMeetings: bandwidth can be overloaded with public web service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "Apache OpenMeetings 4",
"version_value": "4.0.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache OpenMeetings 5",
"version_value": "5.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was identified by Trung Le, Chi Tran, Linh Cua"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server bandwidth overload"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-27576",
"datePublished": "2021-03-15T09:05:17.000Z",
"dateReserved": "2021-02-23T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:56.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1286 (GCVE-0-2018-1286)
Vulnerability from cvelistv5 – Published: 2018-02-28 18:00 – Updated: 2024-09-16 18:07
VLAI?
Summary
In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users.
Severity ?
No CVSS data available.
CWE
- Insufficient Access Controls
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.0.0 - 4.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8%40%3Cuser.openmeetings.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.0.0 - 4.0.1"
}
]
}
],
"datePublic": "2018-02-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Access Controls",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-28T17:57:02",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8%40%3Cuser.openmeetings.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-02-25T00:00:00",
"ID": "CVE-2018-1286",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.0.0 - 4.0.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8@%3Cuser.openmeetings.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1286",
"datePublished": "2018-02-28T18:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T18:07:50.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8736 (GCVE-0-2016-8736)
Vulnerability from cvelistv5 – Published: 2017-10-12 18:00 – Updated: 2024-08-06 02:27
VLAI?
Summary
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
before 3.1.12
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:27:41.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94145"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "before 3.1.12"
}
]
}
],
"datePublic": "2016-07-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-20T19:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94145"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2016-8736",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "before 3.1.12"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne",
"refsource": "MISC",
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94145"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8736",
"datePublished": "2017-10-12T18:00:00",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-08-06T02:27:41.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7663 (GCVE-0-2017-7663)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-17 03:08
VLAI?
Summary
Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0.
Severity ?
No CVSS data available.
CWE
- XSS
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.768Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99577",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "99577",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7663",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99577",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"refsource": "MLIST",
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7663",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-17T03:08:15.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7666 (GCVE-0-2017-7666)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-16 18:39
VLAI?
Summary
Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.
Severity ?
No CVSS data available.
CWE
- CSRF
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/fkesu4e5hhz5xdbg"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/fkesu4e5hhz5xdbg"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7666",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers",
"refsource": "MLIST",
"url": "http://markmail.org/message/fkesu4e5hhz5xdbg"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7666",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T18:39:41.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7673 (GCVE-0-2017-7673)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-08-05 16:12
VLAI?
Summary
Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/3hshl26omwjo6c5i"
},
{
"name": "99587",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99587"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/3hshl26omwjo6c5i"
},
{
"name": "99587",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99587"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-7673",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords",
"refsource": "MLIST",
"url": "http://markmail.org/message/3hshl26omwjo6c5i"
},
{
"name": "99587",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99587"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7673",
"datePublished": "2017-07-14T15:00:00",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-08-05T16:12:27.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7685 (GCVE-0-2017-7685)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-16 16:59
VLAI?
Summary
Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH.
Severity ?
No CVSS data available.
CWE
- Insecure HTTP Methods
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99592"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure HTTP Methods",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-17T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99592"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7685",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure HTTP Methods"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"refsource": "MLIST",
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99592"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7685",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T16:59:04.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7682 (GCVE-0-2017-7682)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-16 22:09
VLAI?
Summary
Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.
Severity ?
No CVSS data available.
CWE
- Business Logic Bypass
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Business Logic Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7682",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Business Logic Bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"refsource": "MLIST",
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7682",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T22:09:03.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7688 (GCVE-0-2017-7688)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-17 03:02
VLAI?
Summary
Apache OpenMeetings 1.0.0 updates user password in insecure manner.
Severity ?
No CVSS data available.
CWE
- Insecure Password Update
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99586"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 updates user password in insecure manner."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Password Update",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99586"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7688",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 updates user password in insecure manner."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Password Update"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"refsource": "MLIST",
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99586"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7688",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-17T03:02:48.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7681 (GCVE-0-2017-7681)
Vulnerability from cvelistv5 – Published: 2017-07-14 15:00 – Updated: 2024-09-16 18:39
VLAI?
Summary
Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end.
Severity ?
No CVSS data available.
CWE
- SQL injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7681",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"refsource": "MLIST",
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7681",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T18:39:15.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54676 (GCVE-0-2024-54676)
Vulnerability from nvd – Published: 2025-01-08 08:40 – Updated: 2025-01-08 14:00
VLAI?
Summary
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0
Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
Severity ?
No CVSS data available.
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.1 , < 8.0.0
(semver)
|
Credits
m0d9 from Tencent Yunding Lab
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-01-08T09:02:51.250Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/01/08/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-54676",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-08T14:00:24.422606Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T14:00:52.923Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "8.0.0",
"status": "affected",
"version": "2.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "m0d9 from Tencent Yunding Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVendor: The Apache Software Foundation\u003c/p\u003e\u003cp\u003eVersions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0\u003c/p\u003eDescription: Default clustering instructions at \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://openmeetings.apache.org/Clustering.html\"\u003ehttps://openmeetings.apache.org/Clustering.html\u003c/a\u003e\u0026nbsp;doesn\u0027t specify white/black lists for OpenJPA this leads to possible \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003edeserialisation of untrusted data\u003c/span\u003e.\u003cbr\u003eUsers are recommended to upgrade to version 8.0.0 and \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eupdate their startup scripts to include the relevant \u003c/span\u003e\u003ccode\u003e\u0027openjpa.serialization.class.blacklist\u0027 and \u0027openjpa.serialization.class.whitelist\u0027 configurations as shown in the documentation\u003c/code\u003e."
}
],
"value": "Vendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0\n\nDescription: Default clustering instructions at https://openmeetings.apache.org/Clustering.html \u00a0doesn\u0027t specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.\nUsers are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant \u0027openjpa.serialization.class.blacklist\u0027 and \u0027openjpa.serialization.class.whitelist\u0027 configurations as shown in the documentation."
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-08T08:40:03.705Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/o0k05jxrt5tp4nm45lj14yfjxmg67m95"
}
],
"source": {
"defect": [
"OPENMEETINGS-2787"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: Deserialisation of untrusted data in cluster mode",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2024-54676",
"datePublished": "2025-01-08T08:40:03.705Z",
"dateReserved": "2024-12-05T04:43:41.354Z",
"dateUpdated": "2025-01-08T14:00:52.923Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28936 (GCVE-0-2023-28936)
Vulnerability from nvd – Published: 2023-05-12 07:45 – Updated: 2024-10-10 20:30
VLAI?
Summary
Attacker can access arbitrary recording/room
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-697 - Incorrect Comparison
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:39.125Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/y6vng44c22ll221rtvsv208x1pbjmdoc"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-28936",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T20:26:04.896745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T20:30:03.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Attacker can access arbitrary recording/room\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions\u0026nbsp;Affected: Apache OpenMeetings from 2.0.0 before 7.1.0\u003cbr\u003e"
}
],
"value": "Attacker can access arbitrary recording/room\n\nVendor: The Apache Software Foundation\n\nVersions\u00a0Affected: Apache OpenMeetings from 2.0.0 before 7.1.0\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-697",
"description": "CWE-697 Incorrect Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:45:04.835Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/y6vng44c22ll221rtvsv208x1pbjmdoc"
}
],
"source": {
"defect": [
"OPENMEETINGS-2762"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: insufficient check of invitation hash",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-28936",
"datePublished": "2023-05-12T07:45:04.835Z",
"dateReserved": "2023-03-28T15:43:06.369Z",
"dateUpdated": "2024-10-10T20:30:03.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29032 (GCVE-0-2023-29032)
Vulnerability from nvd – Published: 2023-05-12 07:43 – Updated: 2024-10-10 19:48
VLAI?
Summary
An attacker that has gained access to certain private information can use this to act as other user.
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-287 - Improper Authentication
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.1.3 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.627Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/j2d6mg3rzcphfd8vvvk09d8p4o9lvnqp"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "3.1.3",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:44:48.609636Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:48:37.089Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "3.1.3",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker that has gained access to certain private information can use this to act as other user.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0"
}
],
"value": "An attacker that has gained access to certain private information can use this to act as other user.\n\nVendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:43:30.483Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/j2d6mg3rzcphfd8vvvk09d8p4o9lvnqp"
}
],
"source": {
"defect": [
"OPENMEETINGS-2764"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: allows bypass authentication",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-29032",
"datePublished": "2023-05-12T07:43:30.483Z",
"dateReserved": "2023-03-30T04:39:06.692Z",
"dateUpdated": "2024-10-10T19:48:37.089Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29246 (GCVE-0-2023-29246)
Vulnerability from nvd – Published: 2023-05-12 07:43 – Updated: 2024-10-10 19:35
VLAI?
Summary
An attacker who has gained access to an admin account can perform RCE via null-byte injection
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
Severity ?
No CVSS data available.
CWE
- CWE-20 - Improper Input Validation
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.1.0
(semver)
|
Credits
Stefan Schiller
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:16.063Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/230plvhbdx26m43b0sy942wlwt6kkmmr"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-10T19:34:24.542931Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-10T19:35:57.172Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.1.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Stefan Schiller"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn attacker who has gained access to an admin account can perform RCE via null-byte injection\u003c/span\u003e\u003cbr\u003e\u003cbr\u003eVendor: The Apache Software Foundation\u003cbr\u003e\u003cbr\u003eVersions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0"
}
],
"value": "An attacker who has gained access to an admin account can perform RCE via null-byte injection\n\nVendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0"
}
],
"metrics": [
{
"other": {
"content": {
"text": "important"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-12T07:43:20.422Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/230plvhbdx26m43b0sy942wlwt6kkmmr"
}
],
"source": {
"defect": [
"OPENMEETINGS-2765"
],
"discovery": "EXTERNAL"
},
"title": "Apache OpenMeetings: allows null-byte Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-29246",
"datePublished": "2023-05-12T07:43:20.422Z",
"dateReserved": "2023-04-04T15:31:03.257Z",
"dateUpdated": "2024-10-10T19:35:57.172Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28326 (GCVE-0-2023-28326)
Vulnerability from nvd – Published: 2023-03-28 12:36 – Updated: 2024-10-23 15:13
VLAI?
Summary
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0
Description: Attacker can elevate their privileges in any room
Severity ?
No CVSS data available.
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
2.0.0 , < 7.0.0
(semver)
|
Credits
Dennis Zimmt
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.190Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "openmeetings",
"vendor": "apache",
"versions": [
{
"lessThan": "7.0.0",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-28326",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-23T15:13:01.067926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-23T15:13:50.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "7.0.0",
"status": "affected",
"version": "2.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dennis Zimmt"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVendor: The Apache Software Foundation\u003c/p\u003e\u003cp\u003eVersions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0\u003c/p\u003e\u003cp\u003eDescription: Attacker can elevate their privileges in any room\u003c/p\u003e\u003cbr\u003e"
}
],
"value": "Vendor: The Apache Software Foundation\n\nVersions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0\n\nDescription: Attacker can elevate their privileges in any room\n\n\n"
}
],
"metrics": [
{
"other": {
"content": {
"text": "critical"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T12:36:11.566Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9"
}
],
"source": {
"defect": [
"OPENMEETINGS-2739"
],
"discovery": "UNKNOWN"
},
"title": "Apache OpenMeetings: allows user impersonation",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2023-28326",
"datePublished": "2023-03-28T12:36:11.566Z",
"dateReserved": "2023-03-14T09:26:00.600Z",
"dateUpdated": "2024-10-23T15:13:50.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-27576 (GCVE-0-2021-27576)
Vulnerability from nvd – Published: 2021-03-15 09:05 – Updated: 2025-02-13 16:27
VLAI?
Summary
If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0
Severity ?
No CVSS data available.
CWE
- Server bandwidth overload
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
4.0.0 , < Apache OpenMeetings 4*
(custom)
Affected: Apache OpenMeetings 5 , ≤ 5.1.0 (custom) |
Credits
This issue was identified by Trung Le, Chi Tran, Linh Cua
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:26:09.671Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache OpenMeetings 4*",
"status": "affected",
"version": "4.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "5.1.0",
"status": "affected",
"version": "Apache OpenMeetings 5",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was identified by Trung Le, Chi Tran, Linh Cua"
}
],
"descriptions": [
{
"lang": "en",
"value": "If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Server bandwidth overload",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-03T21:27:40.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache OpenMeetings: bandwidth can be overloaded with public web service",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-27576",
"STATE": "PUBLIC",
"TITLE": "Apache OpenMeetings: bandwidth can be overloaded with public web service"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "Apache OpenMeetings 4",
"version_value": "4.0.0"
},
{
"version_affected": "\u003c=",
"version_name": "Apache OpenMeetings 5",
"version_value": "5.1.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was identified by Trung Le, Chi Tran, Linh Cua"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0"
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server bandwidth overload"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r9bb615bd70a0197368f5f3ffc887162686caeb0b5fc30592a7a871e9%40%3Cuser.openmeetings.apache.org%3E"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-27576",
"datePublished": "2021-03-15T09:05:17.000Z",
"dateReserved": "2021-02-23T00:00:00.000Z",
"dateUpdated": "2025-02-13T16:27:56.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1286 (GCVE-0-2018-1286)
Vulnerability from nvd – Published: 2018-02-28 18:00 – Updated: 2024-09-16 18:07
VLAI?
Summary
In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users.
Severity ?
No CVSS data available.
CWE
- Insufficient Access Controls
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.0.0 - 4.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:59:37.608Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8%40%3Cuser.openmeetings.apache.org%3E"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.0.0 - 4.0.1"
}
]
}
],
"datePublic": "2018-02-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insufficient Access Controls",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-28T17:57:02",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8%40%3Cuser.openmeetings.apache.org%3E"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2018-02-25T00:00:00",
"ID": "CVE-2018-1286",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.0.0 - 4.0.1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insufficient Access Controls"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20180225 [ANNOUNCE] CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/dc2151baa5301bae773603cede0d62c21ee28588dd06e5e9253c13a8@%3Cuser.openmeetings.apache.org%3E"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2018-1286",
"datePublished": "2018-02-28T18:00:00Z",
"dateReserved": "2017-12-07T00:00:00",
"dateUpdated": "2024-09-16T18:07:50.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-8736 (GCVE-0-2016-8736)
Vulnerability from nvd – Published: 2017-10-12 18:00 – Updated: 2024-08-06 02:27
VLAI?
Summary
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
before 3.1.12
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:27:41.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/94145"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "before 3.1.12"
}
]
}
],
"datePublic": "2016-07-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-02-20T19:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/94145"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2016-8736",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "before 3.1.12"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne",
"refsource": "MISC",
"url": "http://openmeetings.markmail.org/thread/tr47byaaopnemvne"
},
{
"name": "94145",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/94145"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2016-8736",
"datePublished": "2017-10-12T18:00:00",
"dateReserved": "2016-10-18T00:00:00",
"dateUpdated": "2024-08-06T02:27:41.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7663 (GCVE-0-2017-7663)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-17 03:08
VLAI?
Summary
Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0.
Severity ?
No CVSS data available.
CWE
- XSS
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.768Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99577",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "XSS",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "99577",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7663",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "XSS"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99577",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99577"
},
{
"name": "[user] 20170713 CVE-2017-7663 - Apache OpenMeetings - XSS in chat",
"refsource": "MLIST",
"url": "http://markmail.org/message/aka2z2dq7icfw2p2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7663",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-17T03:08:15.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7666 (GCVE-0-2017-7666)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-16 18:39
VLAI?
Summary
Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.
Severity ?
No CVSS data available.
CWE
- CSRF
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.831Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/fkesu4e5hhz5xdbg"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CSRF",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/fkesu4e5hhz5xdbg"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7666",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CSRF"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers",
"refsource": "MLIST",
"url": "http://markmail.org/message/fkesu4e5hhz5xdbg"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7666",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T18:39:41.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7673 (GCVE-0-2017-7673)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-08-05 16:12
VLAI?
Summary
Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/3hshl26omwjo6c5i"
},
{
"name": "99587",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99587"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/3hshl26omwjo6c5i"
},
{
"name": "99587",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99587"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2017-7673",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords",
"refsource": "MLIST",
"url": "http://markmail.org/message/3hshl26omwjo6c5i"
},
{
"name": "99587",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99587"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7673",
"datePublished": "2017-07-14T15:00:00",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-08-05T16:12:27.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7685 (GCVE-0-2017-7685)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-16 16:59
VLAI?
Summary
Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH.
Severity ?
No CVSS data available.
CWE
- Insecure HTTP Methods
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.873Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99592"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure HTTP Methods",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-17T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99592"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7685",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure HTTP Methods"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods",
"refsource": "MLIST",
"url": "http://markmail.org/message/uxk4bpq35svnyjhb"
},
{
"name": "99592",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99592"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7685",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T16:59:04.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7682 (GCVE-0-2017-7682)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-16 22:09
VLAI?
Summary
Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.
Severity ?
No CVSS data available.
CWE
- Business Logic Bypass
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
3.2.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.934Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "3.2.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Business Logic Bypass",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7682",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "3.2.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Business Logic Bypass"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass",
"refsource": "MLIST",
"url": "http://markmail.org/message/dbrbvf5k343ulivf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7682",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T22:09:03.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7688 (GCVE-0-2017-7688)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-17 03:02
VLAI?
Summary
Apache OpenMeetings 1.0.0 updates user password in insecure manner.
Severity ?
No CVSS data available.
CWE
- Insecure Password Update
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99586"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 updates user password in insecure manner."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Insecure Password Update",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-15T09:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99586"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7688",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 updates user password in insecure manner."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Insecure Password Update"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update",
"refsource": "MLIST",
"url": "http://markmail.org/message/ctsiiqtekzsun6fi"
},
{
"name": "99586",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99586"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7688",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-17T03:02:48.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7681 (GCVE-0-2017-7681)
Vulnerability from nvd – Published: 2017-07-14 15:00 – Updated: 2024-09-16 18:39
VLAI?
Summary
Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end.
Severity ?
No CVSS data available.
CWE
- SQL injection
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache OpenMeetings |
Affected:
1.0.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache OpenMeetings",
"vendor": "Apache Software Foundation",
"versions": [
{
"status": "affected",
"version": "1.0.0"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "SQL injection",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-14T14:57:01",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"DATE_PUBLIC": "2017-07-13T00:00:00",
"ID": "CVE-2017-7681",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache OpenMeetings",
"version": {
"version_data": [
{
"version_value": "1.0.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "SQL injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[user] 20170713 CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services",
"refsource": "MLIST",
"url": "http://markmail.org/message/j774dp5ro5xmkmg6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2017-7681",
"datePublished": "2017-07-14T15:00:00Z",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-09-16T18:39:15.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}