Hi Maxim, I got your point, however, the description seems to be stating that only version *3.0.0* is affected instead of *<=4.0.1*.
CVE-2018-1286 - Apache OpenMeetings - Insufficient Access Controls Severity: Medium Vendor: The Apache Software Foundation *Versions Affected: Apache OpenMeetings 3.0.0* * Versions Affected: <= 4.0.1 (Corrected)* Description: CRUD operations on privileged users are not password protected allowing an authenticated attacker to deny service for privileged users. CVE-2018-1286 The issue was fixed in 4.0.2 All users are recommended to upgrade to Apache OpenMeetings 4.0.2 Thanks, ~ Sahil On Mon, Feb 26, 2018 at 10:43 AM, Maxim Solodovnik <[email protected]> wrote: > I have analyzed the code > Wysiwyg editor was introduced in 3.0.0 > and it was vulnerable from the very beginning > So all versions are affected :( > > On Mon, Feb 26, 2018 at 12:10 PM, Sahil Dhar > <[email protected]> wrote: > > Hi Maxim, > > > > > > I just noticed that there is a typo in the CVE-2018-1286 description, as > it > > states that the affected version is 3.0.0. However, the vulnerability was > > reported for 4.0.1 release. Can you please update it? > > > > Thanks, > > ~ Sahil > > > > > > > > > > > > > > On Sun, Feb 25, 2018 at 5:20 PM, Maxim Solodovnik <[email protected]> > > wrote: > >> > >> Severity: Medium > >> > >> Vendor: The Apache Software Foundation > >> > >> Versions Affected: Apache OpenMeetings 3.0.0 > >> > >> Description: CRUD operations on privileged users are not password > >> protected allowing an authenticated attacker to deny service for > >> privileged users. > >> > >> > >> The issue was fixed in 4.0.2 > >> All users are recommended to upgrade to Apache OpenMeetings 4.0.2 > >> > >> Credit: This issue was identified by Sahil Dhar of Security Innovation > Inc > > > > > > > > -- > WBR > Maxim aka solomax >
