Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NApache Openmeetings
APPApache6.1.0 – 9.0.0 (bez)
Related vulnerabilities
Apache OpenMeetings: deserializacja niezaufanych danych w konfiguracji klastrowej
Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0 Descri...
Apache OpenMeetings before 3.1.2 is vulnerable to Remote Code Execution via RMI deserialization attack.
Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and ...
Uploaded XML documents were not correctly validated in Apache OpenMeetings 3.1.0.