Maven package

org.apache.openmeetings/openmeetings-parent

pkg:maven/org.apache.openmeetings/openmeetings-parent

Vulnerabilities (25)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-34020	Hig	7.5	>= 3.1.3, < 9.0.0	9.0.0	Apr 9, 2026	Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeet
CVE-2026-33266	Hig	7.5	>= 6.1.0, < 9.0.0	9.0.0	Apr 9, 2026	Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a
CVE-2026-33005	Med	4.3	>= 3.10, < 9.0.0	9.0.0	Apr 9, 2026	Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field.
CVE-2024-54676		—	>= 2.1.0, < 8.0.0	8.0.0	Jan 8, 2025	Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deseriali
CVE-2023-29032		—	>= 3.1.3, < 7.1.0	7.1.0	May 12, 2023	An attacker that has gained access to certain private information can use this to act as other user. Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0
CVE-2023-29246		—	>= 2.0.0, < 7.1.0	7.1.0	May 12, 2023	An attacker who has gained access to an admin account can perform RCE via null-byte injection Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
CVE-2023-28326		—	>= 2.0.0, < 7.0.0	7.0.0	Mar 28, 2023	Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room
CVE-2021-27576		—	>= 4.0.0, < 6.0.0	6.0.0	Mar 15, 2021	If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0
CVE-2020-13951		—	>= 4.0.0, < 5.1.0	5.1.0	Sep 30, 2020	Attackers can use public NetTest web service of Apache OpenMeetings 4.0.0-5.0.0 to organize denial of service attack.
CVE-2018-1286		—	>= 3.0.0, < 4.0.2	4.0.2	Feb 28, 2018	In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users.
CVE-2016-8736	Cri	9.8	< 3.1.2	3.1.2	Oct 12, 2017	Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
CVE-2017-7688	Hig	7.5	>= 1.0.0, < 3.3.0	3.3.0	Jul 17, 2017	Apache OpenMeetings 1.0.0 updates user password in insecure manner.
CVE-2017-7685	Med	5.3	>= 1.0.0, < 3.3.0	3.3.0	Jul 17, 2017	Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH.
CVE-2017-7684	Hig	7.5	>= 1.0.0, < 3.3.0	3.3.0	Jul 17, 2017	Apache OpenMeetings 1.0.0 doesn't check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server.
CVE-2017-7683	Hig	7.5	>= 1.0.0, < 3.3.0	3.3.0	Jul 17, 2017	Apache OpenMeetings 1.0.0 displays Tomcat version and detailed error stack trace, which is not secure.
CVE-2017-7682	Hig	8.2	>= 3.2.0, < 3.3.0	3.3.0	Jul 17, 2017	Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.
CVE-2017-7681	Hig	8.8	>= 1.0.0, < 3.3.0	3.3.0	Jul 17, 2017	Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end.
CVE-2017-7680	Hig	7.5	>= 1.0.0, < 3.3.0	3.3.0	Jul 17, 2017	Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains.
CVE-2017-7673	Cri	9.8	>= 1.0.0, < 3.3.0	3.3.0	Jul 17, 2017	Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.
CVE-2017-7666	Hig	8.8	>= 1.0.0, < 3.3.0	3.3.0	Jul 17, 2017	Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.

CVE-2026-34020HigApr 9, 2026
affected >= 3.1.3, < 9.0.0fixed 9.0.0
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeet
CVE-2026-33266HigApr 9, 2026
affected >= 6.1.0, < 9.0.0fixed 9.0.0
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a
CVE-2026-33005MedApr 9, 2026
affected >= 3.10, < 9.0.0fixed 9.0.0
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field.
CVE-2024-54676Jan 8, 2025
affected >= 2.1.0, < 8.0.0fixed 8.0.0
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0 Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deseriali
CVE-2023-29032May 12, 2023
affected >= 3.1.3, < 7.1.0fixed 7.1.0
An attacker that has gained access to certain private information can use this to act as other user. Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0
CVE-2023-29246May 12, 2023
affected >= 2.0.0, < 7.1.0fixed 7.1.0
An attacker who has gained access to an admin account can perform RCE via null-byte injection Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
CVE-2023-28326Mar 28, 2023
affected >= 2.0.0, < 7.0.0fixed 7.0.0
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Description: Attacker can elevate their privileges in any room
CVE-2021-27576Mar 15, 2021
affected >= 4.0.0, < 6.0.0fixed 6.0.0
If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0
CVE-2020-13951Sep 30, 2020
affected >= 4.0.0, < 5.1.0fixed 5.1.0
Attackers can use public NetTest web service of Apache OpenMeetings 4.0.0-5.0.0 to organize denial of service attack.
CVE-2018-1286Feb 28, 2018
affected >= 3.0.0, < 4.0.2fixed 4.0.2
In Apache OpenMeetings 3.0.0 - 4.0.1, CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users.
CVE-2016-8736CriOct 12, 2017
affected < 3.1.2fixed 3.1.2
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
CVE-2017-7688HigJul 17, 2017
affected >= 1.0.0, < 3.3.0fixed 3.3.0
Apache OpenMeetings 1.0.0 updates user password in insecure manner.
CVE-2017-7685MedJul 17, 2017
affected >= 1.0.0, < 3.3.0fixed 3.3.0
Apache OpenMeetings 1.0.0 responds to the following insecure HTTP methods: PUT, DELETE, HEAD, and PATCH.
CVE-2017-7684HigJul 17, 2017
affected >= 1.0.0, < 3.3.0fixed 3.3.0
Apache OpenMeetings 1.0.0 doesn't check contents of files being uploaded. An attacker can cause a denial of service by uploading multiple large files to the server.
CVE-2017-7683HigJul 17, 2017
affected >= 1.0.0, < 3.3.0fixed 3.3.0
Apache OpenMeetings 1.0.0 displays Tomcat version and detailed error stack trace, which is not secure.
CVE-2017-7682HigJul 17, 2017
affected >= 3.2.0, < 3.3.0fixed 3.3.0
Apache OpenMeetings 3.2.0 is vulnerable to parameter manipulation attacks, as a result attacker has access to restricted areas.
CVE-2017-7681HigJul 17, 2017
affected >= 1.0.0, < 3.3.0fixed 3.3.0
Apache OpenMeetings 1.0.0 is vulnerable to SQL injection. This allows authenticated users to modify the structure of the existing query and leak the structure of other queries being made by the application in the back-end.
CVE-2017-7680HigJul 17, 2017
affected >= 1.0.0, < 3.3.0fixed 3.3.0
Apache OpenMeetings 1.0.0 has an overly permissive crossdomain.xml file. This allows for flash content to be loaded from untrusted domains.
CVE-2017-7673CriJul 17, 2017
affected >= 1.0.0, < 3.3.0fixed 3.3.0
Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.
CVE-2017-7666HigJul 17, 2017
affected >= 1.0.0, < 3.3.0fixed 3.3.0
Apache OpenMeetings 1.0.0 is vulnerable to Cross-Site Request Forgery (CSRF) attacks, XSS attacks, click-jacking, and MIME based attacks.

Page 1 of 2