Primary

Context

Apache OpenMeetings GET Request Method Vulnerability Exposing Login Credentials

Vulnerability

Patched

A vulnerability exists in Apache OpenMeetings versions 3.1.3 prior to 9.0.0, where the REST login endpoint improperly uses the HTTP GET method to transmit usernames and passwords as query parameters. This practice exposes sensitive information through various channels, including web logs and browser history, despite the use of HTTPS.

Impact

Exposing login credentials in query strings can lead to unauthorized access, as captured information may be stored in web logs or browser history. This vulnerability violates secure session management practices by exposing one-time passwords (OTPs) during their validity window, creating a risk of unauthorized account access.

Remediation

Users are advised to upgrade to Apache OpenMeetings version 9.0.0 or later, which addresses this vulnerability.

Added: Apr 9, 2026, 6:31 PM

Updated: Apr 9, 2026, 6:31 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

6.0

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

6.0

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache OpenMeetings GET Request Method Vulnerability Exposing Login Credentials

Vulnerability

Impact

Remediation

Affected Products

Apache OpenMeetings

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating