Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN379 _____________________________________________________________________ DATE : 10/04/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache OpenMeetings versions prior to 9.0.0. ===================================================================== https://lists.apache.org/thread/vrjg6o9c1nnmhn64vr316voph303lt4c https://lists.apache.org/thread/jn6qvcs8g0gv46oso0pb9fk3xvq9wz1h https://lists.apache.org/thread/d5mcsdvdm1yj62bk68rl5890lopf6w94 _____________________________________________________________________ CVE-2026-33266: Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt Severity: important Affected versions: - Apache OpenMeetings 6.1.0 before 9.0.0 Description: Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. This issue is being tracked as OPENMEETINGS-2813 Credit: 4ra2n (A code security AI agent) (finder) References: https://openmeetings.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-33266 https://issues.apache.org/jira/browse/OPENMEETINGS-2813 _____________________________________________________________________ CVE-2026-34020: Apache OpenMeetings: Login Credentials Passed via GET Query Parameters Severity: moderate Affected versions: - Apache OpenMeetings 3.1.3 before 9.0.0 Description: Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. This issue is being tracked as OPENMEETINGS-2816 Credit: 4ra2n (A code security AI agent) (finder) References: https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url https://openmeetings.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-34020 https://issues.apache.org/jira/browse/OPENMEETINGS-2816 _____________________________________________________________________ CVE-2026-33005: Apache OpenMeetings: Insufficient checks in FileWebService Severity: moderate Affected versions: - Apache OpenMeetings 3.1.0 before 9.0.0 Description: Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object. This issue affects Apache OpenMeetings: from 3.10 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. This issue is being tracked as OPENMEETINGS-2812 Credit: 4ra2n (A code security AI agent) (finder) References: https://openmeetings.apache.org/openmeetings-db/apidocs/org.apache.openmeetings.db/org/apache/openmeetings/db/dto/file/FileItemDTO.html https://openmeetings.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-33005 https://issues.apache.org/jira/browse/OPENMEETINGS-2812 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================