CVE-2025-61788 Opencast Paella Player 7 vulnerable to Cross-Site-Scripting

Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, the paella would include and render some user inputs metadata like title, description, etc. unfiltered and unmodified. The vulnerability allows attackers to...

Opencast 信息泄露漏洞

Opencast is a live video support software for large-scale automated video capture, management and distribution from the Opencast organization. A security vulnerability exists in Opencast versions prior to 17.8 and prior to 18.2, which can be exploited by attackers to cause accidental distribution...

EUVD-2021-2538

Malware in sbrugna...

EUVD-2021-2446

Malware in sbrugna...

EUVD-2022-5043

Malicious code in bioql PyPI...

EUVD-2021-8667

Malicious code in bioql PyPI...

EUVD-2022-4995

Malicious code in bioql PyPI...

Opencast < 17.6 Information Disclosure Vulnerability (GHSA-j63h-hmgw-x4j7)

Opencast is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:opencast:opencast";...

CVE-2025-54380 Opencast still publishes global system account credentials

Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass...

Opencast still publishes global system account credentials

Description Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous...

CVE-2022-41965

Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 12.5, Opencast's Paella authentication page could be used to redirect to an arbitrary URL for authenticated users. The vulnerability allows attackers to redirect users to...

CVE-2022-29237

Opencast is a free and open source solution for automated video capture and distribution at scale. Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassin...

CVE-2021-43807

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE...

CVE-2021-21318

Opencast is a free, open-source platform to support the management of educational audio and video content. In Opencast before version 9.2 there is a vulnerability in which publishing an episode with strict access rules will overwrite the currently set series access. This allows for an easy denial...

CVE-2020-5222

Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials...

CVE-2017-1000217

Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media module resulting in arbitrary code execution, fixed in 2.3.3 and 3.0...

CVE-2017-1000221

In Opencast 2.2.3 and older if user names overlap, the Opencast search service used for publication to the media modules and players will handle the access control incorrectly so that users only need to match part of the user name used for the access restriction. For example, a user with the role...

CVE-2020-5206

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example...

CVE-2020-5230

Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directorie...

GHSA-J4MM-7PJ3-JF7V HTTP Method Spoofing

Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests...