Repository: openmeetings Updated Branches: refs/heads/3.3.x e3fd6ab13 -> 7a69f41ba
Documentation update for 3.3.0 release Project: http://git-wip-us.apache.org/repos/asf/openmeetings/repo Commit: http://git-wip-us.apache.org/repos/asf/openmeetings/commit/7a69f41b Tree: http://git-wip-us.apache.org/repos/asf/openmeetings/tree/7a69f41b Diff: http://git-wip-us.apache.org/repos/asf/openmeetings/diff/7a69f41b Branch: refs/heads/3.3.x Commit: 7a69f41baee91a33cc8e3994e763e8678e5d17fa Parents: e3fd6ab Author: Maxim Solodovnik <[email protected]> Authored: Tue Jun 27 00:09:00 2017 +0700 Committer: Maxim Solodovnik <[email protected]> Committed: Tue Jun 27 00:09:00 2017 +0700 ---------------------------------------------------------------------- CHANGELOG | 41 ++++++ README | 23 ++++ .../src/site/xdoc/NewsArchive.xml | 40 +++++- .../src/site/xdoc/ReleaseGuide.xml | 5 +- openmeetings-server/src/site/xdoc/downloads.xml | 44 +++--- openmeetings-server/src/site/xdoc/index.xml | 40 +++--- openmeetings-server/src/site/xdoc/security.xml | 138 ++++++++++++++++++- 7 files changed, 275 insertions(+), 56 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/openmeetings/blob/7a69f41b/CHANGELOG ---------------------------------------------------------------------- diff --git a/CHANGELOG b/CHANGELOG index f8cebf7..04a4933 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -5,6 +5,47 @@ See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-* (where * is the number Release Notes - Openmeetings - Version 3.2.1 ================================================================================================================ +** Vulnerability + * CVE-2017-7663 - Apache OpenMeetings XSS in chat + * CVE-2017-7664 - Apache OpenMeetings Missing XML Validation + * CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers + * CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords + * CVE-2017-7680 - Apache OpenMeetings Insecure crossdomain.xml policy + * CVE-2017-7681 - Apache OpenMeetings SQL injection in web services + * CVE-2017-7682 - Apache OpenMeetings Business Logic Bypass + * CVE-2017-7683 - Apache OpenMeetings Information Disclosure + * CVE-2017-7684 - Apache OpenMeetings Insecure File Upload + * CVE-2017-7685 - Apache OpenMeetings Insecure HTTP Methods + * CVE-2017-7688 - Apache OpenMeetings Insecure Password Update + +** Bug + * [OPENMEETINGS-159] - Horizontal scrolling for Low resolution screen + * [OPENMEETINGS-1609] - When you select the color of the object to be placed on the white board, the left side of the color selection window is hidden. + * [OPENMEETINGS-1610] - "'timepicker' is not a valid LocalTime + * [OPENMEETINGS-1611] - JS errors in OM Admin + * [OPENMEETINGS-1616] - New chat messages should be added to the bottom + * [OPENMEETINGS-1619] - User details panel is cut off when admin click on add new user button + * [OPENMEETINGS-1620] - 'Unenroll user' is not fully working + * [OPENMEETINGS-1624] - "File upload" Window hidden behind whiteboard with Internet Explorer 11 + * [OPENMEETINGS-1630] - It is impossible to get room count using REST + * [OPENMEETINGS-1631] - User can vote multiple times + * [OPENMEETINGS-1648] - External process time-to-live should be configurable + * [OPENMEETINGS-1651] - Chat - Window hidden behind whiteboard with Internet Explorer 11 + * [OPENMEETINGS-1654] - No nickname dialog, wrong name on video window + * [OPENMEETINGS-1655] - Whiteboard room element can not be hidden + +** Improvement + * [OPENMEETINGS-553] - GSOC: Need to have possibility to import/export or sync events from OpenMeetings calendar using ical or caldav protocol. + * [OPENMEETINGS-1554] - Please add the feature to upload your video files to the server, in the recording section + * [OPENMEETINGS-1607] - "Raise your hand" notification should also be added in user-list + * [OPENMEETINGS-1612] - 3.3.0 - Library versions should be updated + * [OPENMEETINGS-1617] - BackupExport should write directly to zip file + * [OPENMEETINGS-1634] - File tree drag to trash, need to be enhanced + * [OPENMEETINGS-1650] - Make Audio Alerts Configurable + + +Release Notes - Openmeetings - Version 3.2.1 +================================================================================================================ ** Bug * [OPENMEETINGS-571] - Chat area does not resize when resizing browser window * [OPENMEETINGS-1437] - behavior os share audio and share audio/video button ist different http://git-wip-us.apache.org/repos/asf/openmeetings/blob/7a69f41b/README ---------------------------------------------------------------------- diff --git a/README b/README index fb4c599..8f4b0e6 100644 --- a/README +++ b/README @@ -8,6 +8,29 @@ Apache OpenMeetings provides video conferencing, instant messaging, white board, collaborative document editing and other groupware tools using API functions of the Red5 Streaming Server for Remoting and Streaming. +Release Notes 3.3.0 +============= +see CHANGELOG file for detailed log + +Release 3.3.0, provides following improvements: + +Security fixes in: +* Chat +* All requests via security headers +* More secure password processing rules and storage +* More strict rules for uploaded files +* SQL injection in web services + +11 security vulnerabilities were addressed + +Whiteboard: +* Room is displayed without overlap in IE +* Multiple display issues +* Wb room element can now be hidden + +Other fixes and improvements, 21 issues were fixed + + Release Notes 3.2.1 ============= see CHANGELOG file for detailed log http://git-wip-us.apache.org/repos/asf/openmeetings/blob/7a69f41b/openmeetings-server/src/site/xdoc/NewsArchive.xml ---------------------------------------------------------------------- diff --git a/openmeetings-server/src/site/xdoc/NewsArchive.xml b/openmeetings-server/src/site/xdoc/NewsArchive.xml index 48b77f9..54c60e8 100644 --- a/openmeetings-server/src/site/xdoc/NewsArchive.xml +++ b/openmeetings-server/src/site/xdoc/NewsArchive.xml @@ -13,7 +13,7 @@ limitations under the License. --> <document xmlns="http://maven.apache.org/XDOC/2.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd";> + xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd";> <properties> <title>News archive</title> <author email="[email protected]">Apache OpenMeetings Team</author> @@ -22,6 +22,44 @@ <body> <section name="News"> <div class="bs-callout bs-callout-info"> + <b>Version 3.2.1 released!</b> + <div>Service release 1 for 3.2.0, provides following improvements:<br/> + Room<br/> + <ul> + <li>Video is more stable</li> + <li>Office files download is fixed</li> + <li>Multi-upload is added</li> + <li>External video works as expected</li> + <li>WB drawing on slides works as expected</li> + </ul> + <br/> + Chat<br/> + <ul> + <li>chat is made resizable</li> + <li>multiple issues in chat are fixed</li> + <li>typing indicator is added</li> + </ul> + <br/> + Calendar<br/> + <ul> + <li>date/time validator is improved</li> + <li>whole group can be invited by admin to event</li> + </ul> + <br/> + Other fixes and improvements + <br/> + <span class="bs-callout bs-callout-info">Please update to this release from any previous OpenMeetings release</span> + </div> + <br/> + <span> + 49 issues are fixed please check <br/> + <a href="https://www.apache.org/dist/openmeetings/3.2.1/CHANGELOG";>CHANGELOG</a> and + <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12339215";>Detailed list</a> + </span> + <span> See <a href="downloads.html">Downloads page</a>.</span> + <span class="date">(2017-03-21)</span> + </div> + <div class="bs-callout bs-callout-info"> <b>Version 3.2.0 released!</b> <div>Release 3.2.0, provides Partial HTML5 room:<br/> Room is partially moved to HTML5<br/> http://git-wip-us.apache.org/repos/asf/openmeetings/blob/7a69f41b/openmeetings-server/src/site/xdoc/ReleaseGuide.xml ---------------------------------------------------------------------- diff --git a/openmeetings-server/src/site/xdoc/ReleaseGuide.xml b/openmeetings-server/src/site/xdoc/ReleaseGuide.xml index db7ab1b..5bad83b 100644 --- a/openmeetings-server/src/site/xdoc/ReleaseGuide.xml +++ b/openmeetings-server/src/site/xdoc/ReleaseGuide.xml @@ -28,10 +28,7 @@ <ul> <li>Sun JDK8</li> <li>Apache Maven 3.3.9</li> - <li> - SVN Command line client (Subversion 1.7 required!) - <a href="http://subversion.apache.org/packages.html"; target="_blank" rel="nofollow">http://subversion.apache.org/packages.html</a> - </li> + <li>Git Command line client</li> <li>A text editor</li> <li>You need to be online! The build process actively downloads needed libraries and dependencies.</li> <li>Valid certficate to be able to enter <a href="https://securesigning.websecurity.symantec.com/csportal/";>https://securesigning.websecurity.symantec.com/csportal/</a> http://git-wip-us.apache.org/repos/asf/openmeetings/blob/7a69f41b/openmeetings-server/src/site/xdoc/downloads.xml ---------------------------------------------------------------------- diff --git a/openmeetings-server/src/site/xdoc/downloads.xml b/openmeetings-server/src/site/xdoc/downloads.xml index bbdcbb4..dc94f8b 100644 --- a/openmeetings-server/src/site/xdoc/downloads.xml +++ b/openmeetings-server/src/site/xdoc/downloads.xml @@ -13,43 +13,40 @@ limitations under the License. --> <document xmlns="http://maven.apache.org/XDOC/2.0"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd";> - + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd";> <properties> <title>Downloads</title> <author email="[email protected]">Apache OpenMeetings Team</author> </properties> <body> - <section name="Downloads"> <p> All downloads can be verified using the Apache OpenMeetings code - signing <a href="https://www.apache.org/dist/openmeetings/3.2.1/KEYS";>KEYS</a>, changes: <a - href="https://www.apache.org/dist/openmeetings/3.2.1/CHANGELOG";>CHANGELOG</a>. + signing <a href="https://www.apache.org/dist/openmeetings/3.3.0/KEYS";>KEYS</a>, changes: <a + href="https://www.apache.org/dist/openmeetings/3.3.0/CHANGELOG";>CHANGELOG</a>. </p> <p> All are available for download as source and binary. </p> - <subsection name="Latest Official Release"> <p> - Apache Openmeetings 3.2.1 + Apache Openmeetings 3.3.0 </p> <ul> <li> Binaries: <ul> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.2.1/bin/apache-openmeetings-3.2.1.zip";>apache-openmeetings-3.2.1.zip</a> - <a href="http://www.apache.org/dist/openmeetings/3.2.1/bin/apache-openmeetings-3.2.1.zip.asc";>[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.2.1/bin/apache-openmeetings-3.2.1.zip.sha256";>[SHA256]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.3.0/bin/apache-openmeetings-3.3.0.zip";>apache-openmeetings-3.3.0.zip</a> + <a href="http://www.apache.org/dist/openmeetings/3.3.0/bin/apache-openmeetings-3.3.0.zip.asc";>[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.3.0/bin/apache-openmeetings-3.3.0.zip.sha256";>[SHA256]</a> </li> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.2.1/bin/apache-openmeetings-3.2.1.tar.gz";>apache-openmeetings-3.2.1.tar.gz</a> - <a href="http://www.apache.org/dist/openmeetings/3.2.1/bin/apache-openmeetings-3.2.1.tar.gz.asc";>[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.2.1/bin/apache-openmeetings-3.2.1.tar.gz.sha256";>[SHA256]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.3.0/bin/apache-openmeetings-3.3.0.tar.gz";>apache-openmeetings-3.3.0.tar.gz</a> + <a href="http://www.apache.org/dist/openmeetings/3.3.0/bin/apache-openmeetings-3.3.0.tar.gz.asc";>[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.3.0/bin/apache-openmeetings-3.3.0.tar.gz.sha256";>[SHA256]</a> </li> </ul> </li> @@ -57,21 +54,19 @@ Sources: <ul> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.2.1/src/apache-openmeetings-3.2.1-src.zip";>apache-openmeetings-3.2.1-src.zip</a> - <a href="http://www.apache.org/dist/openmeetings/3.2.1/src/apache-openmeetings-3.2.1-src.zip.asc";>[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.2.1/src/apache-openmeetings-3.2.1-src.zip.sha256";>[SHA256]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.3.0/src/apache-openmeetings-3.3.0-src.zip";>apache-openmeetings-3.3.0-src.zip</a> + <a href="http://www.apache.org/dist/openmeetings/3.3.0/src/apache-openmeetings-3.3.0-src.zip.asc";>[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.3.0/src/apache-openmeetings-3.3.0-src.zip.sha256";>[SHA256]</a> </li> <li> - <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.2.1/src/apache-openmeetings-3.2.1-src.tar.gz";>apache-openmeetings-3.2.1-src.tar.gz</a> - <a href="http://www.apache.org/dist/openmeetings/3.2.1/src/apache-openmeetings-3.2.1-src.tar.gz.asc";>[SIG]</a> - <a href="http://www.apache.org/dist/openmeetings/3.2.1/src/apache-openmeetings-3.2.1-src.tar.gz.sha256";>[SHA256]</a> + <a href="http://www.apache.org/dyn/closer.lua/openmeetings/3.3.0/src/apache-openmeetings-3.3.0-src.tar.gz";>apache-openmeetings-3.3.0-src.tar.gz</a> + <a href="http://www.apache.org/dist/openmeetings/3.3.0/src/apache-openmeetings-3.3.0-src.tar.gz.asc";>[SIG]</a> + <a href="http://www.apache.org/dist/openmeetings/3.3.0/src/apache-openmeetings-3.3.0-src.tar.gz.sha256";>[SHA256]</a> </li> </ul> </li> </ul> - </subsection> - <subsection name="Previous Official Releases"> <p> Apache Openmeetings releases available here: @@ -82,15 +77,12 @@ <a href="http://archive.apache.org/dist/incubator/openmeetings/2.0-incubating/";>http://archive.apache.org/dist/incubator/openmeetings/2.0-incubating</a> </p> </subsection> - <subsection name="Plugins / Non ASF downloads"> - <p> If you are looking for more plugins for 3th party applications (Moodle, Drupal, Joomla, ...) check out <a href="https://github.com/openmeetings/"; target="_blank" rel="nofollow">github.com</a> or ask <a href="commercial-support.html">commercial support</a>. </p> - <p> OpenMeetings releases that are not part of the ASF can be downloaded from the old @@ -98,8 +90,6 @@ target="_blank">GoogleCode website</a> </p> </subsection> - </section> </body> </document> - http://git-wip-us.apache.org/repos/asf/openmeetings/blob/7a69f41b/openmeetings-server/src/site/xdoc/index.xml ---------------------------------------------------------------------- diff --git a/openmeetings-server/src/site/xdoc/index.xml b/openmeetings-server/src/site/xdoc/index.xml index da07c95..7b2fd2f 100644 --- a/openmeetings-server/src/site/xdoc/index.xml +++ b/openmeetings-server/src/site/xdoc/index.xml @@ -13,7 +13,7 @@ limitations under the License. --> <document xmlns="http://maven.apache.org/XDOC/2.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd";> + xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd";> <properties> <title>Home</title> <author email="[email protected]">Apache OpenMeetings Team</author> @@ -69,28 +69,24 @@ </section> <section name="News"> <div class="bs-callout bs-callout-danger"> - <b>Version 3.2.1 released!</b> - <div>Service release 1 for 3.2.0, provides following improvements:<br/> - Room<br/> + <b>Version 3.3.0 released!</b> + <div>Release 3.3.0, provides following improvements:<br/> + Security fixes in<br/> <ul> - <li>Video is more stable</li> - <li>Office files download is fixed</li> - <li>Multi-upload is added</li> - <li>External video works as expected</li> - <li>WB drawing on slides works as expected</li> + <li>Chat</li> + <li>All requests via security headers</li> + <li>More secure password processing rules and storage</li> + <li>More strict rules for uploaded files</li> + <li>SQL injection in web services</li> </ul> <br/> - Chat<br/> - <ul> - <li>chat is made resizable</li> - <li>multiple issues in chat are fixed</li> - <li>typing indicator is added</li> - </ul> + 11 security vulnerabilities were addressed<br/> <br/> - Calendar<br/> + Whiteboard<br/> <ul> - <li>date/time validator is improved</li> - <li>whole group can be invited by admin to event</li> + <li>Room is displayed without overlap in IE</li> + <li>Multiple display issues</li> + <li>Wb room element can now be hidden</li> </ul> <br/> Other fixes and improvements @@ -99,12 +95,12 @@ </div> <br/> <span> - 49 issues are fixed please check <br/> - <a href="https://www.apache.org/dist/openmeetings/3.2.1/CHANGELOG";>CHANGELOG</a> and - <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12339215";>Detailed list</a> + 21 issues are fixed please check <br/> + <a href="https://www.apache.org/dist/openmeetings/3.3.0/CHANGELOG";>CHANGELOG</a> and + <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12312720&version=12339849";>Detailed list</a> </span> <span> See <a href="downloads.html">Downloads page</a>.</span> - <span class="date">(2017-03-21)</span> + <span class="date">(2017-06-27)</span> </div> <div class="bs-callout bs-callout-info"> <span class="date"><a href="NewsArchive.html">You can find older news here</a></span> http://git-wip-us.apache.org/repos/asf/openmeetings/blob/7a69f41b/openmeetings-server/src/site/xdoc/security.xml ---------------------------------------------------------------------- diff --git a/openmeetings-server/src/site/xdoc/security.xml b/openmeetings-server/src/site/xdoc/security.xml index efaf4e5..ce71047 100644 --- a/openmeetings-server/src/site/xdoc/security.xml +++ b/openmeetings-server/src/site/xdoc/security.xml @@ -13,8 +13,8 @@ limitations under the License. --> <document xmlns="http://maven.apache.org/XDOC/2.0"; - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; - xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd";> + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xsi:schemaLocation="http://maven.apache.org/XDOC/2.0 http://maven.apache.org/xsd/xdoc-2.0.xsd";> <properties> <title>Security Vulnerabilities</title> <author email="[email protected]">Apache OpenMeetings Team</author> @@ -39,6 +39,140 @@ Please NOTE: only security issues should be reported to this list. </p> </section> + <section name="CVE-2017-7663 - Apache OpenMeetings - XSS in chat"> + <p>Severity: High</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 3.2.0</p> + <p>Description: Both global and Room chat are vulnerable to XSS attack<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7663";>CVE-2017-7663</a> + </p> + <p>The issue was fixed in 3.3.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> + <p>Credit: This issue was identified by Security Innovation</p> + </section> + <section name="CVE-2017-7664 - Apache OpenMeetings - Missing XML Validation"> + <p>Severity: High</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 3.1.0</p> + <p>Description: Uploaded XML documents were not correctly validated<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7664";>CVE-2017-7664</a> + </p> + <p>The issue was fixed in 3.3.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> + <p>Credit: This issue was identified by Security Innovation</p> + </section> + <section name="CVE-2017-7666 - Apache OpenMeetings Missing Secure Headers"> + <p>Severity: High</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.0.0</p> + <p>Description: Apache Openmeetings is vulnerable to Cross-Site Request Forgery (CSRF) + attacks, XSS attacks, click-jacking, and MIME based attacks<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7666";>CVE-2017-7666</a> + </p> + <p>The issue was fixed in 3.3.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> + <p>Credit: This issue was identified by Security Innovation</p> + </section> + <section name="CVE-2017-7673 - Apache OpenMeetings Insufficient check in dialogs with passwords"> + <p>Severity: High</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.0.0</p> + <p>Description: Apache OpenMeetings uses not very strong cryptographic storage, + captcha is not used in registration and forget password dialogs and auth forms + missing brute force protection<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7673";>CVE-2017-7673</a> + </p> + <p>The issue was fixed in 3.3.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> + <p>Credit: This issue was identified by Security Innovation</p> + </section> + <section name="CVE-2017-7680 - Apache OpenMeetings - Insecure crossdomain.xml policy"> + <p>Severity: Low</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.0.0</p> + <p>Description: Apache OpenMeetings has an overly permissive + crossdomain.xml file. This allows for flash content to be loaded + from untrusted domains.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7680";>CVE-2017-7680</a> + </p> + <p>The issue was fixed in 3.3.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> + <p>Credit: This issue was identified by Security Innovation</p> + </section> + <section name="CVE-2017-7681 - Apache OpenMeetings - SQL injection in web services"> + <p>Severity: High</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.0.0</p> + <p>Description: Apache OpenMeetings is vulnerable to SQL injection + This allows authenticated users to modify the structure of the existing + query and leak the structure of other queries being made by the + application in the back-end<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7681";>CVE-2017-7681</a> + </p> + <p>The issue was fixed in 3.3.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> + <p>Credit: This issue was identified by Security Innovation</p> + </section> + <section name="CVE-2017-7682 - Apache OpenMeetings - Business Logic Bypass"> + <p>Severity: Medium</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 3.2.0</p> + <p>Description: Apache OpenMeetings is vulnerable to parameter manipulation + attacks, as a result attacker has access to restricted areas.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7682";>CVE-2017-7682</a> + </p> + <p>The issue was fixed in 3.3.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> + <p>Credit: This issue was identified by Security Innovation</p> + </section> + <section name="CVE-2017-7683 - Apache OpenMeetings - Information Disclosure"> + <p>Severity: Lowest</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.0.0</p> + <p>Description: Apache OpenMeetings displays Tomcat version and + detailed error stack trace which is not secure.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7683";>CVE-2017-7683</a> + </p> + <p>The issue was fixed in 3.3.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> + <p>Credit: This issue was identified by Security Innovation</p> + </section> + <section name="CVE-2017-7684 - Apache OpenMeetings - Insecure File Upload"> + <p>Severity: Low</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.0.0</p> + <p>Description: Apache OpenMeetings doesn't check contents of files + being uploaded. An attacker can cause a denial of service by + uploading multiple large files to the server<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7684";>CVE-2017-7684</a> + </p> + <p>The issue was fixed in 3.3.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> + <p>Credit: This issue was identified by Security Innovation</p> + </section> + <section name="CVE-2017-7685 - Apache OpenMeetings - Insecure HTTP Methods"> + <p>Severity: Lowest</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.0.0</p> + <p>Description: Apache OpenMeetingsrespond to the following insecure HTTP + Methods: PUT, DELETE, HEAD, and PATCH.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7685";>CVE-2017-7685</a> + </p> + <p>The issue was fixed in 3.3.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> + <p>Credit: This issue was identified by Security Innovation</p> + </section> + <section name="CVE-2017-7688 - Apache OpenMeetings - Insecure Password Update"> + <p>Severity: Low</p> + <p>Vendor: The Apache Software Foundation</p> + <p>Versions Affected: Apache OpenMeetings 1.0.0</p> + <p>Description: Apache OpenMeetings updates user password in insecure manner.<br/> + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7688";>CVE-2017-7688</a> + </p> + <p>The issue was fixed in 3.3.0<br/> + All users are recommended to upgrade to Apache OpenMeetings 3.3.0</p> + <p>Credit: This issue was identified by Security Innovation</p> + </section> <section name="CVE-2016-8736 - Apache Openmeetings RMI Registry Java Deserialization RCE"> <p>Severity: Moderate</p> <p>Vendor: The Apache Software Foundation</p>
