[ https://issues.apache.org/jira/browse/OPENMEETINGS-2739?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Maxim Solodovnik resolved OPENMEETINGS-2739. -------------------------------------------- Resolution: Fixed > auth security issue > ------------------- > > Key: OPENMEETINGS-2739 > URL: https://issues.apache.org/jira/browse/OPENMEETINGS-2739 > Project: Openmeetings > Issue Type: Bug > Components: Security > Affects Versions: 6.2.0 > Reporter: Dennis Zimmt > Assignee: Maxim Solodovnik > Priority: Blocker > Labels: authentication, security > Fix For: 7.0.0 > > > There is a heavy security issue that enables you to to log yourself in as > another user. > > If you start the dialog to invite someone in a private room you can choose a > room's title, a user and a password. Then you can generate an invitation url > which is supposted to be send via mail to that user to join your room. > That url contains a hash which logs in the invited user automatically. > > <URL>/openmeetings/hash?invitation=c0fdb7cb-e0bb-4012-95ba-e658fc25c634&language=2 > > So by calling that url by yourself you can log in as that invited user > (before actually sending the invitation). > > > -- This message was sent by Atlassian Jira (v8.20.7#820007)