Opencast@* Security Vulnerabilities and Issues — Opencast@* CVE List

Lucene search

ApereoOpencast*

7 matches found

CVE•added 2020/01/30 9:15 p.m.•85 views

CVE-2020-5230

Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories ...

7.7CVSS7.4AI score0.00327EPSS

CVE•added 2020/01/30 10:15 p.m.•85 views

CVE-2020-5231

In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code (except for tests) but o...

6.5CVSS5.5AI score0.00229EPSS

CVE•added 2020/01/30 10:15 p.m.•84 views

CVE-2020-5206

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, ...

10CVSS9.1AI score0.00296EPSS

CVE•added 2020/01/30 8:15 p.m.•83 views

CVE-2020-5229

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially f...

8.1CVSS7.9AI score0.00153EPSS

CVE•added 2020/01/30 9:15 p.m.•80 views

CVE-2020-5222

Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials wi...

8.8CVSS7.4AI score0.0026EPSS

CVE•added 2020/01/30 8:15 p.m.•73 views

CVE-2020-5228

Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public acces...

7.6CVSS7.3AI score0.00337EPSS

CVE•added 2020/12/08 11:15 p.m.•60 views

CVE-2020-26234

Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for m...

4.8CVSS4.8AI score0.00079EPSS