CVE-2023-28326

Name of the Vulnerable Software and Affected Versions Apache OpenMeetings versions 2.0.0 through 6.x

Description The issue is related to a lack of authentication for a critical function in Apache OpenMeetings, allowing an attacker to elevate their privileges in any room. Specifically, the problem lies in meeting invitation URLs, which contain a hash that automatically logs in as the invited user. An unauthorized user could obtain this URL and log in to the meeting as an invited user, effectively elevating their privileges. It is estimated that a significant number of devices worldwide could be affected, although the exact number is not specified.

Recommendations For Apache OpenMeetings versions 2.0.0 through 6.x, update to version 7.0.0 or later, which disables the vulnerable option if a contact is not selected. As a temporary workaround, consider restricting access to meeting invitation URLs to minimize the risk of exploitation. Avoid using the meeting invitation URL feature in affected versions until the issue is resolved.