Page 3 of 14 results (0.003 seconds)

CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0

Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change. This issue is fixed in Opencast 7.6 and 8.1. Opencast anterior a las versiones 8.1 y 7.6 permite utilizar identificadores casi arbitrarios para paquetes y elementos de medios. • https://github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317 https://github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmq • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-99: Improper Control of Resource Identifiers ('Resource Injection') •

CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0

Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1 Opencast versiones anteriores a 7.6 y 8.1, habilita una cookie remember-me basada en un hash creado a partir del nombre de usuario, contraseña y una clave de sistema adicional. Esto significa que un atacante que obtiene acceso a un token remember-me para un servidor puede obtener acceso a todos los servidores que permiten el inicio de sesión con las mismas credenciales sin necesidad alguna de las credenciales. Este problema se corrigió en Opencast versión 7.6 y Opencast versión 8.1. • https://github.com/opencast/opencast/commit/1a7172c95af8d542a77ae5b153e4c834dd4788a6 https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363 • CWE-798: Use of Hard-coded Credentials •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user. This essentially means that for an attacker, it might be feasible to reconstruct a user's password given access to these hashes. Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords. The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. • https://github.com/opencast/opencast/commit/32bfbe5f78e214e2d589f92050228b91d704758e https://github.com/opencast/opencast/security/advisories/GHSA-h362-m8f2-5x7c • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •

CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0

Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly handing out public access to events without their knowledge. The problem has been addressed in Opencast 7.6 and 8.1 where the OAI-PMH endpoint is configured to require users with `ROLE_ADMIN` by default. In addition to this, Opencast 9 removes the OAI-PMH publication from the default workflow, making the publication a conscious decision users have to make by updating their workflows. • https://github.com/opencast/opencast/blob/1fb812c7810c78f09f29a7f455ff920417924307/etc/security/mh_default_org.xml#L271-L276 https://github.com/opencast/opencast/security/advisories/GHSA-6f54-3qr9-pjgj • CWE-862: Missing Authorization •