openmeetings-server/src/site/xdoc/security.xml - openmeetings - Git at Google

 <?xml version="1.0" encoding="UTF-8"?>
 <!--
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.
    You may obtain a copy of the License at

        http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
  -->
 <document xmlns="http://maven.apache.org/XDOC/2.0"
 		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 		xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd">
 	<properties>
 		<title>Security Vulnerabilities</title>
 		<author email="dev@openmeetings.apache.org">Apache OpenMeetings Team</author>
 	</properties>

 	<body>
 		<section name="Security Vulnerabilities">
 			<p>Please note that binary patches are not produced for individual vulnerabilities. To obtain the
 				binary fix for a particular vulnerability you should upgrade to an Apache OpenMeetings version
 				where that vulnerability has been fixed.<br/>
 				<br/>
 				For more information about reporting vulnerabilities, see the
 				<a href="https://www.apache.org/security/">Apache Security Team</a> page.<br/>
 				<br/>
 				<a href="https://www.apache.org/security/committers.html#vulnerability-handling">Vulnerability handling guide</a>
 			</p>
 			<p>
 				REFERENCES -> permalink to the announce email in archives<br/>
 				Going forward, please include the <b>product and version information</b> in the <b>description</b> itself
 				as well as in the "[PRODUCT]" and "[VERSION]" lines in your submissions.
 				While this may seem redundant, including the information in both places satisfies different use cases and supports automation.
 			</p>
 		</section>
 		<section name="Reporting New Security Problems">
 			<p>
 				Please report any security errors to security@openmeetings.apache.org<br/>
 				<br/>
 				Please NOTE: only security issues should be reported to this list.
 			</p>
 		</section>
 		<section name="CVE-2018-1325 - Wicket jQuery UI: XSS while displaying value in WYSIWYG editor">
 			<p>Severity: High</p>
 			<p>Vendor: wicket-jquery-ui</p>
 			<p>Versions Affected: &lt;= 6.29.0, &lt;= 7.10.1, &lt;= 8.0.0-M9.1</p>
 			<p>Description: JS code created in WYSIWYG editor will be executed on display<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1325">CVE-2018-1325</a>
 			</p>
 			<p>The issue was fixed in 6.29.1, 7.10.2, 8.0.0-M9.2<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 4.0.3</p>
 			<p>Credit: This issue was identified by Kamil Sevi</p>
 		</section>
 		<section name="CVE-2017-15719 - Wicket jQuery UI: XSS in WYSIWYG editor">
 			<p>Severity: High</p>
 			<p>Vendor: wicket-jquery-ui</p>
 			<p>Versions Affected: &lt;= 6.28.0, &lt;= 7.9.1, &lt;= 8.0.0-M8</p>
 			<p>Description: Attacker can submit arbitrary JS code to WYSIWYG editor<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15719">CVE-2017-15719</a>
 			</p>
 			<p>The issue was fixed in 6.28.1, 7.9.2, 8.0.0-M8.1<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 4.0.2</p>
 			<p>Credit: This issue was identified by Sahil Dhar of Security Innovation Inc</p>
 		</section>
 		<section name="CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls">
 			<p>Severity: Medium</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 3.0.0 - 4.0.1</p>
 			<p>Description: CRUD operations on privileged users are not password protected allowing an authenticated attacker
 				to deny service for privileged users.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1286">CVE-2018-1286</a>
 			</p>
 			<p>The issue was fixed in 4.0.2<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 4.0.2</p>
 			<p>Credit: This issue was identified by Sahil Dhar of Security Innovation Inc</p>
 		</section>
 		<section name="CVE-2017-7663 - Apache OpenMeetings - XSS in chat">
 			<p>Severity: High</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 3.2.0</p>
 			<p>Description: Both global and Room chat are vulnerable to XSS attack<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7663">CVE-2017-7663</a>
 			</p>
 			<p>The issue was fixed in 3.3.0<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
 		<section name="CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation">
 			<p>Severity: High</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 3.1.0</p>
 			<p>Description: Uploaded XML documents were not correctly validated<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7664">CVE-2017-7664</a>
 			</p>
 			<p>The issue was fixed in 3.3.0<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
 		<section name="CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers">
 			<p>Severity: High</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
 			<p>Description: Apache Openmeetings is vulnerable to Cross-Site Request Forgery (CSRF)
 					attacks, XSS attacks, click-jacking, and MIME based attacks<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7666">CVE-2017-7666</a>
 			</p>
 			<p>The issue was fixed in 3.3.0<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
 		<section name="CVE-2017-7673 - Apache OpenMeetings  Insufficient check in dialogs with passwords">
 			<p>Severity: High</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
 			<p>Description: Apache OpenMeetings uses not very strong cryptographic storage,
 					captcha is not used in registration and forget password dialogs and auth forms
 					missing brute force protection<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7673">CVE-2017-7673</a>
 			</p>
 			<p>The issue was fixed in 3.3.0<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
 		<section name="CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy">
 			<p>Severity: Low</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
 			<p>Description: Apache OpenMeetings has an overly permissive
 					crossdomain.xml file. This allows for flash content to be loaded
 					from untrusted domains.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7680">CVE-2017-7680</a>
 			</p>
 			<p>The issue was fixed in 3.3.0<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
 		<section name="CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services">
 			<p>Severity: High</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
 			<p>Description: Apache OpenMeetings is vulnerable to SQL injection
 					This allows authenticated users to modify the structure of the existing
 					query and leak the structure of other queries being made by the
 					application in the back-end<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7681">CVE-2017-7681</a>
 			</p>
 			<p>The issue was fixed in 3.3.0<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
 		<section name="CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass">
 			<p>Severity: Medium</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 3.2.0</p>
 			<p>Description: Apache OpenMeetings is vulnerable to parameter manipulation
 					attacks, as a result attacker has access to restricted areas.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7682">CVE-2017-7682</a>
 			</p>
 			<p>The issue was fixed in 3.3.0<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
 		<section name="CVE-2017-7683 - Apache OpenMeetings - Information Disclosure">
 			<p>Severity: Lowest</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
 			<p>Description: Apache OpenMeetings displays Tomcat version and
 					detailed error stack trace which is not secure.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7683">CVE-2017-7683</a>
 			</p>
 			<p>The issue was fixed in 3.3.0<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
 		<section name="CVE-2017-7684 - Apache OpenMeetings - Insecure File Upload">
 			<p>Severity: Low</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
 			<p>Description: Apache OpenMeetings doesn't check contents of files
 					being uploaded. An attacker can cause a denial of service by
 					uploading multiple large files to the server<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7684">CVE-2017-7684</a>
 			</p>
 			<p>The issue was fixed in 3.3.0<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
 		<section name="CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods">
 			<p>Severity: Lowest</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
 			<p>Description: Apache OpenMeetingsrespond to the following insecure HTTP
 					Methods: PUT, DELETE, HEAD, and PATCH.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7685">CVE-2017-7685</a>
 			</p>
 			<p>The issue was fixed in 3.3.0<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
 		<section name="CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update">
 			<p>Severity: Low</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
 			<p>Description: Apache OpenMeetings updates user password in insecure manner.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7688">CVE-2017-7688</a>
 			</p>
 			<p>The issue was fixed in 3.3.0<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
 			<p>Credit: This issue was identified by Security Innovation</p>
 		</section>
 		<section name="CVE-2017-5878 - RED5/AMF Unmarshalling RCE">
 			<p>Severity: Critical</p>
 			<p>Vendor: Red5</p>
 			<p>Versions Affected: Apache OpenMeetings 3.1.3 and earlier</p>
 			<p>Description: The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the
 				classes for which it performs deserialization, which allows remote attackers to execute
 				arbitrary code via crafted serialized Java data.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5878">CVE-2017-5878</a>
 			</p>
 			<p>The issue was fixed in 3.1.4<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.1.4</p>
 			<p>Credit: This issue was identified by Moritz Bechler</p>
 		</section>
 		<section name="CVE-2016-8736 - Apache Openmeetings RMI Registry Java Deserialization RCE">
 			<p>Severity: Moderate</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 3.1.0</p>
 			<p>Description: Apache Openmeetings is vulnerable to Remote Code Execution via RMI deserialization attack<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8736">CVE-2016-8736</a>
 			</p>
 			<p>The issue was fixed in 3.1.2<br/>
 				All users are recommended to upgrade to Apache OpenMeetings 3.1.3</p>
 			<p>Credit: This issue was identified by Jacob Baines, Tenable Network Security</p>
 		</section>
 		<section name="CVE-2016-3089 - Apache OpenMeetings XSS in SWF panel">
 			<p>Severity: Moderate</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 3.1.0</p>
 			<p>Description: The value of the URL's "swf" query parameter is interpolated into the JavaScript tag without
 				being escaped, leading to the reflected XSS.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3089">CVE-2016-3089</a>
 			</p>
 			<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.2</p>
 			<p>Credit: This issue was identified by Matthew Daley</p>
 		</section>
 		<section name="CVE-2016-0783 - Predictable password reset token">
 			<p>Severity: Critical</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p>
 			<p>Description: The hash generated by the external password reset function is generated by concatenating the user
 				name and the current system time, and then hashing it using MD5. This is highly predictable and
 				can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings
 				user.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0783">CVE-2016-0783</a>
 			</p>
 			<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
 			<p>Credit: This issue was identified by Andreas Lindh</p>
 		</section>
 		<section name="CVE-2016-0784 - ZIP file path traversal">
 			<p>Severity: Moderate</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p>
 			<p>Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu
 				(http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially
 				crafted file names within ZIP archives. By uploading an archive containing a file named
 				../../../public/hello.txt will write the file “hello.txt” to the http://domain:5080/openmeetings/public/
 				directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd
 				party integrated executable) with a shell script, which would be executed the next time an image file
 				is uploaded and imagemagick is invoked.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0784">CVE-2016-0784</a>
 			</p>
 			<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
 			<p>Credit: This issue was identified by Andreas Lindh</p>
 		</section>
 		<section name="CVE-2016-2163 - Stored Cross Site Scripting in Event description">
 			<p>Severity: Moderate</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p>
 			<p>Description: When creating an event, it is possible to create clickable URL links in the event description. These
 				links will be present inside the event details once a participant enters the room via the event. It is
 				possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As
 				the link is placed within an &lt;a&gt; tag, the actual link is not visible to the end user which makes it hard
 				to tell if the link is legit or not.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2163">CVE-2016-2163</a>
 			</p>
 			<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
 			<p>Credit: This issue was identified by Andreas Lindh</p>
 		</section>
 		<section name="CVE-2016-2164 - Arbitrary file read via SOAP API">
 			<p>Severity: Critical</p>
 			<p>Vendor: The Apache Software Foundation</p>
 			<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p>
 			<p>Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile
 				methods in the FileService, it is possible to read arbitrary files from the system. This is due to that
 				Java's URL class is used without checking what protocol handler is specified in the API call.<br/>
 				<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2164">CVE-2016-2164</a>
 			</p>
 			<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
 			<p>Credit: This issue was identified by Andreas Lindh</p>
 		</section>
 	</body>
 </document>
	<?xml version="1.0" encoding="UTF-8"?>
	<!--
	Licensed under the Apache License, Version 2.0 (the "License");
	you may not use this file except in compliance with the License.
	You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<document xmlns="http://maven.apache.org/XDOC/2.0"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd">
	<properties>
	<title>Security Vulnerabilities</title>
	<author email="dev@openmeetings.apache.org">Apache OpenMeetings Team</author>
	</properties>

	<body>
	<section name="Security Vulnerabilities">
	<p>Please note that binary patches are not produced for individual vulnerabilities. To obtain the
	binary fix for a particular vulnerability you should upgrade to an Apache OpenMeetings version
	where that vulnerability has been fixed.<br/>
	<br/>
	For more information about reporting vulnerabilities, see the
	<a href="https://www.apache.org/security/">Apache Security Team</a> page.<br/>
	<br/>
	<a href="https://www.apache.org/security/committers.html#vulnerability-handling">Vulnerability handling guide</a>
	</p>
	<p>
	REFERENCES -> permalink to the announce email in archives<br/>
	Going forward, please include the <b>product and version information</b> in the <b>description</b> itself
	as well as in the "[PRODUCT]" and "[VERSION]" lines in your submissions.
	While this may seem redundant, including the information in both places satisfies different use cases and supports automation.
	</p>
	</section>
	<section name="Reporting New Security Problems">
	<p>
	Please report any security errors to security@openmeetings.apache.org<br/>
	<br/>
	Please NOTE: only security issues should be reported to this list.
	</p>
	</section>
	<section name="CVE-2018-1325 - Wicket jQuery UI: XSS while displaying value in WYSIWYG editor">
	<p>Severity: High</p>
	<p>Vendor: wicket-jquery-ui</p>
	<p>Versions Affected: <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1</p>
	<p>Description: JS code created in WYSIWYG editor will be executed on display<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1325">CVE-2018-1325</a>
	</p>
	<p>The issue was fixed in 6.29.1, 7.10.2, 8.0.0-M9.2<br/>
	All users are recommended to upgrade to Apache OpenMeetings 4.0.3</p>
	<p>Credit: This issue was identified by Kamil Sevi</p>
	</section>
	<section name="CVE-2017-15719 - Wicket jQuery UI: XSS in WYSIWYG editor">
	<p>Severity: High</p>
	<p>Vendor: wicket-jquery-ui</p>
	<p>Versions Affected: <= 6.28.0, <= 7.9.1, <= 8.0.0-M8</p>
	<p>Description: Attacker can submit arbitrary JS code to WYSIWYG editor<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15719">CVE-2017-15719</a>
	</p>
	<p>The issue was fixed in 6.28.1, 7.9.2, 8.0.0-M8.1<br/>
	All users are recommended to upgrade to Apache OpenMeetings 4.0.2</p>
	<p>Credit: This issue was identified by Sahil Dhar of Security Innovation Inc</p>
	</section>
	<section name="CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls">
	<p>Severity: Medium</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 3.0.0 - 4.0.1</p>
	<p>Description: CRUD operations on privileged users are not password protected allowing an authenticated attacker
	to deny service for privileged users.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1286">CVE-2018-1286</a>
	</p>
	<p>The issue was fixed in 4.0.2<br/>
	All users are recommended to upgrade to Apache OpenMeetings 4.0.2</p>
	<p>Credit: This issue was identified by Sahil Dhar of Security Innovation Inc</p>
	</section>
	<section name="CVE-2017-7663 - Apache OpenMeetings - XSS in chat">
	<p>Severity: High</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 3.2.0</p>
	<p>Description: Both global and Room chat are vulnerable to XSS attack<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7663">CVE-2017-7663</a>
	</p>
	<p>The issue was fixed in 3.3.0<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
	<p>Credit: This issue was identified by Security Innovation</p>
	</section>
	<section name="CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation">
	<p>Severity: High</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 3.1.0</p>
	<p>Description: Uploaded XML documents were not correctly validated<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7664">CVE-2017-7664</a>
	</p>
	<p>The issue was fixed in 3.3.0<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
	<p>Credit: This issue was identified by Security Innovation</p>
	</section>
	<section name="CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers">
	<p>Severity: High</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
	<p>Description: Apache Openmeetings is vulnerable to Cross-Site Request Forgery (CSRF)
	attacks, XSS attacks, click-jacking, and MIME based attacks<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7666">CVE-2017-7666</a>
	</p>
	<p>The issue was fixed in 3.3.0<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
	<p>Credit: This issue was identified by Security Innovation</p>
	</section>
	<section name="CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords">
	<p>Severity: High</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
	<p>Description: Apache OpenMeetings uses not very strong cryptographic storage,
	captcha is not used in registration and forget password dialogs and auth forms
	missing brute force protection<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7673">CVE-2017-7673</a>
	</p>
	<p>The issue was fixed in 3.3.0<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
	<p>Credit: This issue was identified by Security Innovation</p>
	</section>
	<section name="CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy">
	<p>Severity: Low</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
	<p>Description: Apache OpenMeetings has an overly permissive
	crossdomain.xml file. This allows for flash content to be loaded
	from untrusted domains.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7680">CVE-2017-7680</a>
	</p>
	<p>The issue was fixed in 3.3.0<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
	<p>Credit: This issue was identified by Security Innovation</p>
	</section>
	<section name="CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services">
	<p>Severity: High</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
	<p>Description: Apache OpenMeetings is vulnerable to SQL injection
	This allows authenticated users to modify the structure of the existing
	query and leak the structure of other queries being made by the
	application in the back-end<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7681">CVE-2017-7681</a>
	</p>
	<p>The issue was fixed in 3.3.0<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
	<p>Credit: This issue was identified by Security Innovation</p>
	</section>
	<section name="CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass">
	<p>Severity: Medium</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 3.2.0</p>
	<p>Description: Apache OpenMeetings is vulnerable to parameter manipulation
	attacks, as a result attacker has access to restricted areas.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7682">CVE-2017-7682</a>
	</p>
	<p>The issue was fixed in 3.3.0<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
	<p>Credit: This issue was identified by Security Innovation</p>
	</section>
	<section name="CVE-2017-7683 - Apache OpenMeetings - Information Disclosure">
	<p>Severity: Lowest</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
	<p>Description: Apache OpenMeetings displays Tomcat version and
	detailed error stack trace which is not secure.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7683">CVE-2017-7683</a>
	</p>
	<p>The issue was fixed in 3.3.0<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
	<p>Credit: This issue was identified by Security Innovation</p>
	</section>
	<section name="CVE-2017-7684 - Apache OpenMeetings - Insecure File Upload">
	<p>Severity: Low</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
	<p>Description: Apache OpenMeetings doesn't check contents of files
	being uploaded. An attacker can cause a denial of service by
	uploading multiple large files to the server<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7684">CVE-2017-7684</a>
	</p>
	<p>The issue was fixed in 3.3.0<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
	<p>Credit: This issue was identified by Security Innovation</p>
	</section>
	<section name="CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods">
	<p>Severity: Lowest</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
	<p>Description: Apache OpenMeetingsrespond to the following insecure HTTP
	Methods: PUT, DELETE, HEAD, and PATCH.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7685">CVE-2017-7685</a>
	</p>
	<p>The issue was fixed in 3.3.0<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
	<p>Credit: This issue was identified by Security Innovation</p>
	</section>
	<section name="CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update">
	<p>Severity: Low</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.0.0</p>
	<p>Description: Apache OpenMeetings updates user password in insecure manner.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7688">CVE-2017-7688</a>
	</p>
	<p>The issue was fixed in 3.3.0<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p>
	<p>Credit: This issue was identified by Security Innovation</p>
	</section>
	<section name="CVE-2017-5878 - RED5/AMF Unmarshalling RCE">
	<p>Severity: Critical</p>
	<p>Vendor: Red5</p>
	<p>Versions Affected: Apache OpenMeetings 3.1.3 and earlier</p>
	<p>Description: The AMF unmarshallers in Red5 Media Server before 1.0.8 do not restrict the
	classes for which it performs deserialization, which allows remote attackers to execute
	arbitrary code via crafted serialized Java data.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5878">CVE-2017-5878</a>
	</p>
	<p>The issue was fixed in 3.1.4<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.1.4</p>
	<p>Credit: This issue was identified by Moritz Bechler</p>
	</section>
	<section name="CVE-2016-8736 - Apache Openmeetings RMI Registry Java Deserialization RCE">
	<p>Severity: Moderate</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 3.1.0</p>
	<p>Description: Apache Openmeetings is vulnerable to Remote Code Execution via RMI deserialization attack<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8736">CVE-2016-8736</a>
	</p>
	<p>The issue was fixed in 3.1.2<br/>
	All users are recommended to upgrade to Apache OpenMeetings 3.1.3</p>
	<p>Credit: This issue was identified by Jacob Baines, Tenable Network Security</p>
	</section>
	<section name="CVE-2016-3089 - Apache OpenMeetings XSS in SWF panel">
	<p>Severity: Moderate</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 3.1.0</p>
	<p>Description: The value of the URL's "swf" query parameter is interpolated into the JavaScript tag without
	being escaped, leading to the reflected XSS.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3089">CVE-2016-3089</a>
	</p>
	<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.2</p>
	<p>Credit: This issue was identified by Matthew Daley</p>
	</section>
	<section name="CVE-2016-0783 - Predictable password reset token">
	<p>Severity: Critical</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p>
	<p>Description: The hash generated by the external password reset function is generated by concatenating the user
	name and the current system time, and then hashing it using MD5. This is highly predictable and
	can be cracked in seconds by an attacker with knowledge of the user name of an OpenMeetings
	user.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0783">CVE-2016-0783</a>
	</p>
	<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
	<p>Credit: This issue was identified by Andreas Lindh</p>
	</section>
	<section name="CVE-2016-0784 - ZIP file path traversal">
	<p>Severity: Moderate</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0</p>
	<p>Description: The Import/Export System Backups functionality in the OpenMeetings Administration menu
	(http://domain:5080/openmeetings/#admin/backup) is vulnerable to path traversal via specially
	crafted file names within ZIP archives. By uploading an archive containing a file named
	../../../public/hello.txt will write the file “hello.txt” to the http://domain:5080/openmeetings/public/
	directory. This could be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd
	party integrated executable) with a shell script, which would be executed the next time an image file
	is uploaded and imagemagick is invoked.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0784">CVE-2016-0784</a>
	</p>
	<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
	<p>Credit: This issue was identified by Andreas Lindh</p>
	</section>
	<section name="CVE-2016-2163 - Stored Cross Site Scripting in Event description">
	<p>Severity: Moderate</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p>
	<p>Description: When creating an event, it is possible to create clickable URL links in the event description. These
	links will be present inside the event details once a participant enters the room via the event. It is
	possible to create a link like "javascript:alert('xss')", which will execute once the link is clicked. As
	the link is placed within an <a> tag, the actual link is not visible to the end user which makes it hard
	to tell if the link is legit or not.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2163">CVE-2016-2163</a>
	</p>
	<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
	<p>Credit: This issue was identified by Andreas Lindh</p>
	</section>
	<section name="CVE-2016-2164 - Arbitrary file read via SOAP API">
	<p>Severity: Critical</p>
	<p>Vendor: The Apache Software Foundation</p>
	<p>Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7</p>
	<p>Description: When attempting to upload a file via the API using the importFileByInternalUserId or importFile
	methods in the FileService, it is possible to read arbitrary files from the system. This is due to that
	Java's URL class is used without checking what protocol handler is specified in the API call.<br/>
	<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2164">CVE-2016-2164</a>
	</p>
	<p>All users are recommended to upgrade to Apache OpenMeetings 3.1.1</p>
	<p>Credit: This issue was identified by Andreas Lindh</p>
	</section>
	</body>
	</document>