CVE-2023-28326

CRITICAL9.8EPSS 1.1%

Apache OpenMeetings missing authentication and can allow user impersonation

發布日:2023/3/28修改日:2023/11/8

描述

The Apache Software Foundation's OpenMeetings from 2.0.0 before 7.0.0 is missing authentication on meeting invitation URLs. An invitation URL contains a hash that automatically logs in as the invited user. An unauthorized user could obtain this URL and log in to the meeting as an invited user, in effect elevating their privileges in the meeting room. OpenMeetings 7.0.0 disables this option if a contact is not selected.

受影響套件(1)

Maven/org.apache.openmeetings:openmeetings-parent>= 2.0.0, < 7.0.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-28326
PATCHhttps://github.com/apache/openmeetings
WEBhttps://github.com/apache/openmeetings/commit/1fb71af36
WEBhttps://lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9