CVE-2023-28326 – org.apache.openmeetings:openmeetings-parent

Package

Manager: maven
Name: org.apache.openmeetings:openmeetings-parent
Vulnerable Version: >=2.0.0 <7.0.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00155 pctl0.36878

Details

Apache OpenMeetings missing authentication and can allow user impersonation The Apache Software Foundation's OpenMeetings from 2.0.0 before 7.0.0 is missing authentication on meeting invitation URLs. An invitation URL contains a hash that automatically logs in as the invited user. An unauthorized user could obtain this URL and log in to the meeting as an invited user, in effect elevating their privileges in the meeting room. OpenMeetings 7.0.0 disables this option if a contact is not selected.

Metadata

Created: 2023-03-28T15:30:18Z
Modified: 2023-04-04T17:38:51Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-3r48-3m8r-4r9w/GHSA-3r48-3m8r-4r9w.json
CWE IDs: ["CWE-306"]
Alternative ID: GHSA-3r48-3m8r-4r9w
Finding: F006
Auto approve: 1