When attempting to upload a file via the API using the importFileByInternalUserId or importFile methods in the FileService, it is possible to read arbitrary files from the system. This is due to that Java's URL class is used without checking what protocol handler is specified in the API call. Apache OpenMeetings versions 1.9.x through 3.0.7 are affected.
c8dd487b97e1b03e9a3818c01b947705ae5bdeec150494b208e77bfa5c1dd41f
Severity: Critical
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.0.7
Description:
When attempting to upload a file via the API using the
importFileByInternalUserId
or importFile methods in the FileService, it is possible to read arbitrary
files from the system. This is due to that Java's URL class is used without
checking what protocol handler is specified in the API call.
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
Apache OpenMeetings Team