[ https://issues.apache.org/jira/browse/OPENMEETINGS-2739?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17555407#comment-17555407 ]
ASF subversion and git services commented on OPENMEETINGS-2739: --------------------------------------------------------------- Commit 1fb71af36b660b12031628bf237c04940ebc5cd0 in openmeetings's branch refs/heads/java11-modules from Maxim Solodovnik [ https://gitbox.apache.org/repos/asf?p=openmeetings.git;h=1fb71af36 ] [OPENMEETINGS-2739] generate URL is disabled if non-contact is selected > auth security issue > ------------------- > > Key: OPENMEETINGS-2739 > URL: https://issues.apache.org/jira/browse/OPENMEETINGS-2739 > Project: Openmeetings > Issue Type: Bug > Components: Security > Affects Versions: 6.2.0 > Reporter: Dennis Zimmt > Assignee: Maxim Solodovnik > Priority: Blocker > Labels: authentication, security > Fix For: 7.0.0 > > > There is a heavy security issue that enables you to to log yourself in as > another user. > > If you start the dialog to invite someone in a private room you can choose a > room's title, a user and a password. Then you can generate an invitation url > which is supposted to be send via mail to that user to join your room. > That url contains a hash which logs in the invited user automatically. > > <URL>/openmeetings/hash?invitation=c0fdb7cb-e0bb-4012-95ba-e658fc25c634&language=2 > > So by calling that url by yourself you can log in as that invited user > (before actually sending the invitation). > > > -- This message was sent by Atlassian Jira (v8.20.7#820007)