CyberSec.Space Logo
Back to CVE Browser

CVE-2020-5206

HIGH
8.7
CVSS Severity Score
EPSS Score0.0140%
EPSS Percentile7.51th
PublishedJan 30, 2020
Last ModifiedNov 21, 2024

Vulnerability Description

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1

Affected Platforms (CPE)

πŸ“¦
Apereo

Opencast

< 7.6
πŸ“¦
Apereo

Opencast

= 8.0

References & Advisories

πŸ”— https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8
πŸ”— https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x
πŸ”— https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8
πŸ”— https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x

Related Vulnerabilities

CVE-2021-438219.9

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows reference...

CVE-2017-10002178.8

Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media module re...

CVE-2021-326238.1

Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vu...

CVE-2020-52297.7

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the...