The Apache Software Foundation's OpenMeetings from 2.0.0 before 7.0.0 is missing authentication on meeting invitation URLs. An invitation URL contains a hash that automatically logs in as the invited user. An unauthorized user could obtain this URL and log in to the meeting as an invited user, in effect elevating their privileges in the meeting room. OpenMeetings 7.0.0 disables this option if a contact is not selected.

Affected Packages

Maven org.apache.openmeetings:openmeetings-parent

Affected versions: 2.0.0 (fixed in 7.0.0)

Related CVEs

CVE-2023-28326

Key Information

GHSA ID

GHSA-3r48-3m8r-4r9w

Published

March 28, 2023 3:30 PM

Last Modified

April 4, 2023 5:38 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.apache.openmeetings:openmeetings-parent

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 13, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.