Directory Traversal Vulnerability in Apache OpenMeetings Remote Administration
CVE-2016-0784

6.5MEDIUM

Key Information:

Vendor
Apache
Status
Openmeetings
Vendor
CVE Published:
11 April 2016

Summary

A directory traversal vulnerability exists in the Import/Export System Backups functionality of Apache OpenMeetings prior to version 3.1.1. This flaw allows remote authenticated administrators to manipulate ZIP archive contents, enabling them to write to arbitrary files on the server. By utilizing crafted ZIP entries with directory traversal sequences (such as '..'), an attacker could gain unauthorized access to the file system, leading to potential exposure of sensitive data or execution of malicious payloads. It is critical for administrators to update their instances of Apache OpenMeetings to the latest version to mitigate this security risk.

References

http://haxx.ml/post/141655340521/all-your-meetings-are-be...
x_refsource_MISC
https://www.apache.org/dist/openmeetings/3.1.1/CHANGELOG
x_refsource_CONFIRM
https://www.exploit-db.com/exploits/39642/
exploitx_refsource_EXPLOIT-DB

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.