-
Notifications
You must be signed in to change notification settings - Fork 254
/
security.xml
373 lines (370 loc) · 19.7 KB
/
security.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<document xmlns="http://maven.apache.org/XDOC/2.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd">
<properties>
<title>Security Vulnerabilities</title>
<author email="dev@openmeetings.apache.org">Apache OpenMeetings Team</author>
</properties>
<body>
<section name="Security Vulnerabilities">
<p>Please note that binary patches are not produced for individual vulnerabilities. To obtain the
binary fix for a particular vulnerability you should upgrade to an Apache OpenMeetings version
where that vulnerability has been fixed.<br/>
<br/>
For more information about reporting vulnerabilities, see the
<a href="https://www.apache.org/security/">Apache Security Team</a> page.<br/>
<br/>
<a href="https://www.apache.org/security/committers.html#vulnerability-handling">Vulnerability handling guide</a>
</p>
<p>
REFERENCES -> permalink to the announce email in archives<br/>
Going forward, please include the <b>product and version information</b> in the <b>description</b> itself
as well as in the "[PRODUCT]" and "[VERSION]" lines in your submissions.
While this may seem redundant, including the information in both places satisfies different use cases and supports automation.
</p>
</section>
<section name="Reporting New Security Problems">
<p>
Please report any security errors to security@openmeetings.apache.org<br/>
<br/>
Please NOTE: only security issues should be reported to this list.
</p>
</section>
<section name="CVE-2023-28936: Apache OpenMeetings: insufficient check of invitation hash">
<p>Severity: Critical</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 2.0.0 before 7.1.0</p>
<p>Description: Attacker can access arbitrary recording/room<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2023-28936">CVE-2023-28936</a>
</p>
<p>The issue was fixed in 7.1.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 7.1.0</p>
<p>Credit: This issue was identified by Stefan Schiller</p>
</section>
<section name="CVE-2023-29032: Apache OpenMeetings: allows bypass authentication">
<p>Severity: Important</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 3.1.3 before 7.1.0</p>
<p>Description: An attacker that has gained access to certain private information can use this to act as other user.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2023-29032">CVE-2023-29032</a>
</p>
<p>The issue was fixed in 7.1.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 7.1.0</p>
<p>Credit: This issue was identified by Stefan Schiller</p>
</section>
<section name="CVE-2023-29246: Apache OpenMeetings: allows null-byte Injection">
<p>Severity: Important</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 2.0.0 before 7.0.0</p>
<p>Description: An attacker who has gained access to an admin account can perform RCE via null-byte injection<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2023-29246">CVE-2023-29246</a>
</p>
<p>The issue was fixed in 7.1.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 7.1.0</p>
<p>Credit: This issue was identified by Stefan Schiller</p>
</section>
<section name="CVE-2023-28326: Apache OpenMeetings: allows user impersonation">
<p>Severity: Critical</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 2.0.0 before 7.0.0</p>
<p>Description: Attacker can elevate their privileges in any room<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2023-28326">CVE-2023-28326</a>
</p>
<p>The issue was fixed in 7.0.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 7.0.0</p>
<p>Credit: This issue was identified by Dennis Zimmt</p>
</section>
<section name="CVE-2021-27576 - Apache OpenMeetings: bandwidth can be overloaded with public web service">
<p>Severity: Low</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 4.0.0 before 6.0.0</p>
<p>Description: NetTest web service can be used to overload the bandwidth of the server<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2021-27576">CVE-2021-27576</a>
</p>
<p>The issue was fixed in 6.0.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 6.0.0</p>
<p>Credit: This issue was identified by Trung Le, Chi Tran, Linh Cua</p>
</section>
<section name="CVE-2020-13951 - Apache Openmeetings: DoS via public web service">
<p>Severity: High</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 4.0.0 before 5.0.1</p>
<p>Description: NetTest web service can be used to perform Denial of Service attack<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2020-13951">CVE-2020-13951</a>
</p>
<p>The issue was fixed in 5.0.1<br/>
All users are recommended to upgrade to Apache OpenMeetings 5.0.1</p>
<p>Credit: This issue was identified by Trung Le, Chi Tran, Ngo Van Thien</p>
</section>
<section name="CVE-2018-1325 - Wicket jQuery UI: XSS while displaying value in WYSIWYG editor">
<p>Severity: High</p>
<p>Vendor: wicket-jquery-ui</p>
<p>Versions Affected: <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1</p>
<p>Description: JS code created in WYSIWYG editor will be executed on display<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2018-1325">CVE-2018-1325</a>
</p>
<p>The issue was fixed in 6.29.1, 7.10.2, 8.0.0-M9.2<br/>
All users are recommended to upgrade to Apache OpenMeetings 4.0.3</p>
<p>Credit: This issue was identified by Kamil Sevi</p>
</section>
<section name="CVE-2017-15719 - Wicket jQuery UI: XSS in WYSIWYG editor">
<p>Severity: High</p>
<p>Vendor: wicket-jquery-ui</p>
<p>Versions Affected: <= 6.28.0, <= 7.9.1, <= 8.0.0-M8</p>
<p>Description: Attacker can submit arbitrary JS code to WYSIWYG editor<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-15719">CVE-2017-15719</a>
</p>
<p>The issue was fixed in 6.28.1, 7.9.2, 8.0.0-M8.1<br/>
All users are recommended to upgrade to Apache OpenMeetings 4.0.2</p>
<p>Credit: This issue was identified by Sahil Dhar of Security Innovation Inc</p>
</section>
<section name="CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls">
<p>Severity: Medium</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 3.0.0 before 4.0.2</p>
<p>Description: CRUD operations on privileged users are not password protected allowing an authenticated attacker
to deny service for privileged users.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2018-1286">CVE-2018-1286</a>
</p>
<p>The issue was fixed in 4.0.2<br/>
All users are recommended to upgrade to Apache OpenMeetings 4.0.2</p>
<p>Credit: This issue was identified by Sahil Dhar of Security Innovation Inc</p>
</section>
<section name="CVE-2017-7663 - Apache OpenMeetings - XSS in chat">
<p>Severity: High</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: 3.2.0</p>
<p>Description: Both global and Room chat are vulnerable to XSS attack<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-7663">CVE-2017-7663</a>
</p>
<p>The issue was fixed in 3.3.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
<p>Credit: This issue was identified by Security Innovation</p>
</section>
<section name="CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation">
<p>Severity: High</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 3.1.0 before 3.3.0</p>
<p>Description: Uploaded XML documents were not correctly validated<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-7664">CVE-2017-7664</a>
</p>
<p>The issue was fixed in 3.3.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
<p>Credit: This issue was identified by Security Innovation</p>
</section>
<section name="CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers">
<p>Severity: High</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.0.0 before 3.3.0</p>
<p>Description: Apache Openmeetings is vulnerable to Cross-Site Request Forgery (CSRF)
attacks, XSS attacks, click-jacking, and MIME based attacks<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-7666">CVE-2017-7666</a>
</p>
<p>The issue was fixed in 3.3.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
<p>Credit: This issue was identified by Security Innovation</p>
</section>
<section name="CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords">
<p>Severity: High</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.0.0 before 3.3.0</p>
<p>Description: Apache OpenMeetings uses not very strong cryptographic storage,
captcha is not used in registration and forget password dialogs and auth forms
missing brute force protection<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-7673">CVE-2017-7673</a>
</p>
<p>The issue was fixed in 3.3.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
<p>Credit: This issue was identified by Security Innovation</p>
</section>
<section name="CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy">
<p>Severity: Low</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.0.0 before 3.3.0</p>
<p>Description: Apache OpenMeetings has an overly permissive
crossdomain.xml file. This allows for flash content to be loaded
from untrusted domains.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-7680">CVE-2017-7680</a>
</p>
<p>The issue was fixed in 3.3.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
<p>Credit: This issue was identified by Security Innovation</p>
</section>
<section name="CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services">
<p>Severity: High</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.0.0 before 3.3.0</p>
<p>Description: Apache OpenMeetings is vulnerable to SQL injection
This allows authenticated users to modify the structure of the existing
query and leak the structure of other queries being made by the
application in the back-end<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-7681">CVE-2017-7681</a>
</p>
<p>The issue was fixed in 3.3.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
<p>Credit: This issue was identified by Security Innovation</p>
</section>
<section name="CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass">
<p>Severity: Medium</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: 3.2.0</p>
<p>Description: Apache OpenMeetings is vulnerable to parameter manipulation
attacks, as a result attacker has access to restricted areas.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-7682">CVE-2017-7682</a>
</p>
<p>The issue was fixed in 3.3.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
<p>Credit: This issue was identified by Security Innovation</p>
</section>
<section name="CVE-2017-7683 - Apache OpenMeetings - Information Disclosure">
<p>Severity: Lowest</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.0.0 before 3.3.0</p>
<p>Description: Apache OpenMeetings displays Tomcat version and
detailed error stack trace which is not secure.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-7683">CVE-2017-7683</a>
</p>
<p>The issue was fixed in 3.3.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
<p>Credit: This issue was identified by Security Innovation</p>
</section>
<section name="CVE-2017-7684 - Apache OpenMeetings - Insecure File Upload">
<p>Severity: Low</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.0.0 before 3.3.0</p>
<p>Description: Apache OpenMeetings doesn't check contents of files
being uploaded. An attacker can cause a denial of service by
uploading multiple large files to the server<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-7684">CVE-2017-7684</a>
</p>
<p>The issue was fixed in 3.3.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
<p>Credit: This issue was identified by Security Innovation</p>
</section>
<section name="CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods">
<p>Severity: Lowest</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.0.0 before 3.3.0</p>
<p>Description: Apache OpenMeetingsrespond to the following insecure HTTP
Methods: PUT, DELETE, HEAD, and PATCH.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-7685">CVE-2017-7685</a>
</p>
<p>The issue was fixed in 3.3.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
<p>Credit: This issue was identified by Security Innovation</p>
</section>
<section name="CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update">
<p>Severity: Low</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.0.0 before 3.3.0</p>
<p>Description: Apache OpenMeetings updates user password in insecure manner.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-7688">CVE-2017-7688</a>
</p>
<p>The issue was fixed in 3.3.0<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
<p>Credit: This issue was identified by Security Innovation</p>
</section>
<section name="CVE-2017-5878 - RED5/AMF Unmarshalling RCE">
<p>Severity: Critical</p>
<p>Vendor: Red5</p>
<p>Versions Affected: before 3.1.4</p>
<p>Description: The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the
classes for which it performs deserialization, which allows remote attackers to execute
arbitrary code via crafted serialized Java data.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2017-5878">CVE-2017-5878</a>
</p>
<p>The issue was fixed in 3.1.4<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.1.4</p>
<p>Credit: This issue was identified by Moritz Bechler</p>
</section>
<section name="CVE-2016-8736 - Apache Openmeetings RMI Registry Java Deserialization RCE">
<p>Severity: Moderate</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 3.1.0 before 3.1.2</p>
<p>Description: Apache Openmeetings is vulnerable to Remote Code Execution via RMI deserialization attack<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2016-8736">CVE-2016-8736</a>
</p>
<p>The issue was fixed in 3.1.2<br/>
All users are recommended to upgrade to Apache OpenMeetings 3.1.3</p>
<p>Credit: This issue was identified by Jacob Baines, Tenable Network Security</p>
</section>
<section name="CVE-2016-3089 - Apache OpenMeetings XSS in SWF panel">
<p>Severity: Moderate</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 3.1.0 before 3.1.2</p>
<p>Description: The value of the URL's "swf" query parameter is interpolated into the JavaScript tag without
being escaped, leading to the reflected XSS.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2016-3089">CVE-2016-3089</a>
</p>
<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.2</p>
<p>Credit: This issue was identified by Matthew Daley</p>
</section>
<section name="CVE-2016-0783 - Predictable password reset token">
<p>Severity: Critical</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.9.x before 3.1.1</p>
<p>Description: The hash generated by the external password reset function is generated by concatenating the user
name and the current system time, and then hashing it using MD5. This is highly predictable and
can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings
user.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2016-0783">CVE-2016-0783</a>
</p>
<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
<p>Credit: This issue was identified by Andreas Lindh</p>
</section>
<section name="CVE-2016-0784 - ZIP file path traversal">
<p>Severity: Moderate</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.9.x before 3.1.1</p>
<p>Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu
(http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially
crafted file names within ZIP archives. By uploading an archive containing a file named
../../../public/hello.txt will write the file “hello.txt” to the http://domain:5080/openmeetings/public/
directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd
party integrated executable) with a shell script, which would be executed the next time an image file
is uploaded and imagemagick is invoked.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2016-0784">CVE-2016-0784</a>
</p>
<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
<p>Credit: This issue was identified by Andreas Lindh</p>
</section>
<section name="CVE-2016-2163 - Stored Cross Site Scripting in Event description">
<p>Severity: Moderate</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.9.x before 3.1.1</p>
<p>Description: When creating an event, it is possible to create clickable URL links in the event description. These
links will be present inside the event details once a participant enters the room via the event. It is
possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As
the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard
to tell if the link is legit or not.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2016-2163">CVE-2016-2163</a>
</p>
<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
<p>Credit: This issue was identified by Andreas Lindh</p>
</section>
<section name="CVE-2016-2164 - Arbitrary file read via SOAP API">
<p>Severity: Critical</p>
<p>Vendor: The Apache Software Foundation</p>
<p>Versions Affected: from 1.9.x before 3.1.1</p>
<p>Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile
methods in the FileService, it is possible to read arbitrary files from the system. This is due to that
Java's URL class is used without checking what protocol handler is specified in the API call.<br/>
<a href="https://www.cve.org/CVERecord?id=CVE-2016-2164">CVE-2016-2164</a>
</p>
<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
<p>Credit: This issue was identified by Andreas Lindh</p>
</section>
</body>
</document>