====================================================================

                             CERT-Renater

                 Note d'Information No. 2018/VULN079
_____________________________________________________________________

DATE                : 27/02/2018

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Wicket jQuery UI versions prior to
                                 6.28.1, 7.9.2, 8.0.0-M8.1.

=====================================================================
http://openmeetings.apache.org/security.html#_toc_cve-2017-15719_-_wicket_jquery_ui_xss_in_wysiwyg_e
_____________________________________________________________________


CVE-2017-15719 - Wicket jQuery UI: XSS in WYSIWYG editor

Severity: High

Vendor: wicket-jquery-ui

Versions Affected: <= 6.28.0, <= 7.9.1, <= 8.0.0-M8

Description: Attacker can submit arbitrary JS code to WYSIWYG editor

CVE-2017-15719

The issue was fixed in 6.28.1, 7.9.2, 8.0.0-M8.1
All users are recommended to upgrade to Apache OpenMeetings 4.0.2

Credit: This issue was identified by Sahil Dhar of Security Innovation
Inc


==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================