CVE-2023-28326

CRITICAL9.8EPSS 1.1%

Apache OpenMeetings missing authentication and can allow user impersonation

Published: 3/28/2023Modified: 11/8/2023

Description

The Apache Software Foundation's OpenMeetings from 2.0.0 before 7.0.0 is missing authentication on meeting invitation URLs. An invitation URL contains a hash that automatically logs in as the invited user. An unauthorized user could obtain this URL and log in to the meeting as an invited user, in effect elevating their privileges in the meeting room. OpenMeetings 7.0.0 disables this option if a contact is not selected.

Affected packages (1)

Maven/org.apache.openmeetings:openmeetings-parent>= 2.0.0, < 7.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-28326
PATCHhttps://github.com/apache/openmeetings
WEBhttps://github.com/apache/openmeetings/commit/1fb71af36
WEBhttps://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9