CVE-2023-29246

CWE-20 — Improper Input Validation4 documents4 sources

Severity

7.2HIGH

EPSS

0.1%

top 70.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Openmeetings Apache Openmeetings

Timeline

PublishedMay 12

Description

An attacker who has gained access to an admin account can perform RCE via null-byte injection Vendor: The Apache Software Foundation Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5apache_software_foundation/apache_openmeetings2.0.0 — 7.1.0

▶NVDapache/openmeetings2.0.0 — 7.1.0

▶Mavenorg.apache.openmeetings:openmeetings-parent2.0.0 — 7.1.0

🔴Vulnerability Details

GHSA

Apache OpenMeetings vulnerable to remote code execution via null-bye injection↗2023-05-12

▶

OSV

Apache OpenMeetings vulnerable to remote code execution via null-bye injection↗2023-05-12

▶

CVEList

Apache OpenMeetings: allows null-byte Injection↗2023-05-12

▶