openmeetings

Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Pleas...

Published: Apr 9, 2026

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case ...

Published: Apr 9, 2026

Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (meta...

Published: Apr 9, 2026

Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html...

Published: Jan 8, 2025

Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack....

Published: Oct 12, 2017

Apache OpenMeetings 1.0.0 updates user password in insecure manner....

Published: Jul 17, 2017

Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH....

Published: Jul 17, 2017

Apache OpenMeetings 1.0.0 doesn't check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server....

Published: Jul 17, 2017

Apache OpenMeetings 1.0.0 displays Tomcat version and detailed error stack trace, which is not secure....

Published: Jul 17, 2017

Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas....

Published: Jul 17, 2017

Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the applic...

Published: Jul 17, 2017

Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains....

Published: Jul 17, 2017

Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection....

Published: Jul 17, 2017

Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks....

Published: Jul 17, 2017

Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0....

Published: Jul 17, 2017

Both global and Room chat are vulnerable to XSS attack in Apache OpenMeetings 3.2.0....

Published: Jul 17, 2017

Cross-site scripting (XSS) vulnerability in the SWF panel in Apache OpenMeetings before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the swf parameter....

Published: Aug 19, 2016

The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified prot...

Published: Apr 11, 2016

Cross-site scripting (XSS) vulnerability in Apache OpenMeetings before 3.1.1 allows remote attackers to inject arbitrary web script or HTML via the event description when creating an event....

Published: Apr 11, 2016

Directory traversal vulnerability in the Import/Export System Backups functionality in Apache OpenMeetings before 3.1.1 allows remote authenticated administrators to write to arbitrary files via a .. ...

Published: Apr 11, 2016

The sendHashByUser function in Apache OpenMeetings before 3.1.1 generates predictable password reset tokens, which makes it easier for remote attackers to reset arbitrary user passwords by leveraging ...

Published: Apr 11, 2016