A vulnerability (CVE-2023-28936) has been fixed in the Apache OpenMeetings web conferencing server that could allow access to random posts and chat rooms. The problem has been assigned a critical severity level. The vulnerability is caused by incorrect validation of the hash used to connect new participants. The bug has been present since the 2.0.0 release and was fixed in the Apache OpenMeetings 7.1.0 update released a few days ago.
In addition, two more less dangerous vulnerabilities are fixed in Apache OpenMeetings 7.1.0:
- CVE-2023-29032 - Ability to bypass authentication. An attacker who knows certain sensitive information about a user can impersonate another user.
- CVE-2023-29246 - A null character substitution feature that you can use to run your code on the server if you have access to an OpenMeetings administrator account.
Source: opennet.ru