CyberSec.Space Logo
CVEブラウザに戻る

CVE-2020-5206

HIGH
8.7
CVSS Severity Score
EPSS Score0.0140%
EPSS Percentile7.51th
Published2020年1月30日
Last Modified2024年11月21日

Vulnerability Description

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1

Affected Platforms (CPE)

📦
Apereo

Opencast

< 7.6
📦
Apereo

Opencast

= 8.0

References & Advisories

🔗 https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8
🔗 https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x
🔗 https://github.com/opencast/opencast/commit/b157e1fb3b35991ca7bf59f0730329fbe7ce82e8
🔗 https://github.com/opencast/opencast/security/advisories/GHSA-vmm6-w4cf-7f3x

関連する脆弱性情報

CVE-2021-438219.9

Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows reference...

CVE-2017-10002178.8

Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media module re...

CVE-2021-326238.1

Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vu...

CVE-2020-52297.7

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the...