There are four vulnerabilities, including a remote code execution hole, in Apache OpenMeetings, a researcher said.
Those vulnerabilities mean attackers could hijack installations of the virtual meetings and shared whiteboard application, said Recurity Labs hacker Andreas Lindh, who discovered the flaws.
Lindh reported two critical flaws including a predictable password reset token (CVE-2016-0783) and an arbitrary file read through the SOAP API (CVE-2016-2164) along with holes in ZIP file path traversal (CVE-2016-0784) and stored cross site scripting in event description (CVE-2016-2163).
He said attackers would need to know the administrator’s username in order to attack OpenMeetings installations remotely.
“During my audit, I came across multiple issues of varying severity, among them two vulnerabilities that, with some additional trickery, would allow for an unauthenticated attacker to gain remote code execution on the system, with knowledge of an administrator’s username as the only pre-requisite,” Lindh said in a post.
“The last reported vulnerability in OpenMeetings that I could find is an XSS (cross-site scripting) from 2013, something that hints at how infrequently a lot of open source projects are audited.”
Lindh detailed the four flaws showing in a proof-of-concept how an attacker with knowledge of an existing username can generate the respective password reset token in “less than a second.”