CVE-2017-7680: Apache OpenMeetings allows flash content to be loaded from untrusted domains
7.5
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.78508%
CWE
-
Published
5/13/2022
Updated
2/2/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.openmeetings:openmeetings-parent | maven | >= 1.0.0, < 3.3.0 | 3.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from an insecure configuration in the crossdomain.xml file rather than specific code functions. Crossdomain.xml is a Flash policy file that controls cross-domain access, and an overly permissive configuration (e.g., allowing '*' as a trusted domain) enables untrusted Flash content to interact with the application. The vulnerability is configuration-related, not tied to a specific function in the codebase. No functions are explicitly mentioned in the provided CVE/GHSA descriptions or patch details, and the fix would involve modifying the crossdomain.xml content rather than altering code logic.