Miggo Logo

CVE-2017-7680: Apache OpenMeetings allows flash content to be loaded from untrusted domains

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.78508%
CWE
-
Published
5/13/2022
Updated
2/2/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.openmeetings:openmeetings-parentmaven>= 1.0.0, < 3.3.03.3.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from an insecure configuration in the crossdomain.xml file rather than specific code functions. Crossdomain.xml is a Flash policy file that controls cross-domain access, and an overly permissive configuration (e.g., allowing '*' as a trusted domain) enables untrusted Flash content to interact with the application. The vulnerability is configuration-related, not tied to a specific function in the codebase. No functions are explicitly mentioned in the provided CVE/GHSA descriptions or patch details, and the fix would involve modifying the crossdomain.xml content rather than altering code logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Op*nM**tin*s *.*.* **s *n ov*rly p*rmissiv* `*ross*om*in.xml` *il*. T*is *llows *or *l*s* *ont*nt to ** lo**** *rom untrust** *om*ins.

Reasoning

T** vuln*r**ility st*ms *rom *n ins**ur* *on*i*ur*tion in t** *ross*om*in.xml *il* r*t**r t**n sp**i*i* *o** *un*tions. *ross*om*in.xml is * *l*s* poli*y *il* t**t *ontrols *ross-*om*in ****ss, *n* *n ov*rly p*rmissiv* *on*i*ur*tion (*.*., *llowin* '