A vulnerability (CVE-2023-28936) has been fixed in the Apache OpenMeetings web conferencing server that could allow access to random posts and chat rooms. The problem has been assigned a critical severity level. The vulnerability is caused by incorrect validation of the hash used to connect new participants. The bug has been present since the 2.0.0 release and was fixed in the Apache OpenMeetings 7.1.0 update released a few days ago.
In addition, two more less dangerous vulnerabilities are fixed in Apache OpenMeetings 7.1.0:
- CVE-2023-29032 - Ability to bypass authentication. An attacker who knows certain sensitive information about a user can impersonate another user.
- CVE-2023-29246 - Possibility of substitution of a character with a null code, which can be used to execute custom code on server if you have access to an OpenMeetings administrator account.
Source: opennet.ru
