Please note that binary patches are not produced for individual vulnerabilities. To obtain the
binary fix for a particular vulnerability you should upgrade to an Apache OpenMeetings version
where that vulnerability has been fixed.
For more information about reporting vulnerabilities, see the
Apache Security Team page.
Please report any security errors to security@openmeetings.apache.org
Please NOTE: only security issues should be reported to this list.
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0
Description: The hash generated by the external password reset function is generated by concatenating the user
name and the current system time, and then hashing it using MD5. This is highly predictable and
can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings
user.
CVE-2016-0783
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0
Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu
(http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially
crafted file names within ZIP archives. By uploading an archive containing a file named
../../../public/hello.txt will write the file “hello.txt” to the http://domain:5080/openmeetings/public/
directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd
party integrated executable) with a shell script, which would be executed the next time an image file
is uploaded and imagemagick is invoked.
CVE-2016-0784
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7
Description: When creating an event, it is possible to create clickable URL links in the event description. These
links will be present inside the event details once a participant enters the room via the event. It is
possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As
the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard
to tell if the link is legit or not.
CVE-2016-2163
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7
Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile
methods in the FileService, it is possible to read arbitrary files from the system. This is due to that
Java's URL class is used without checking what protocol handler is specified in the API call.
CVE-2016-2164
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh