Dennis Zimmt created OPENMEETINGS-2739: ------------------------------------------
Summary: auth security issue Key: OPENMEETINGS-2739 URL: https://issues.apache.org/jira/browse/OPENMEETINGS-2739 Project: Openmeetings Issue Type: Bug Components: Security Affects Versions: 6.2.0 Reporter: Dennis Zimmt Assignee: Maxim Solodovnik There is a heavy security issue that enables you to to log yourself in as another user. If you start the dialog to invite someone in a private room you can choose a room's title, a user and a password. Then you can generate an invitation url which is supposted to be send via mail to that user to join your room. That url contains a hash which logs in the invited user automatically. <URL>/openmeetings/hash?invitation=c0fdb7cb-e0bb-4012-95ba-e658fc25c634&language=2 So by calling that url by yourself you can log in as that invited user (before actually sending the invitation). -- This message was sent by Atlassian Jira (v8.20.7#820007)