When creating an event, it is possible to create clickable URL links in the event description. These links will be present inside the event details once a participant enters the room via the event. It is possible to create a link like “javascript:alert(‘xss’)”, which will execute once the link is clicked. As the link is placed within an tag, the actual link is not visible to the end user which makes it hard to tell if the link is legit or not. Apache OpenMeetings versions 1.9.x through 3.0.7 are affected.