Description
Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the same credentials without ever needing the credentials. This problem is fixed in Opencast 7.6 and Opencast 8.1
References (2)
Core 2
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/opencast/opencast/security/advisories/GHSA-mh8g-hprg-8363
Scores
CVSS v3
6.8
EPSS
0.0026
EPSS Percentile
49.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Details
CWE
CWE-798
Status
published
Products (3)
apereo/opencast
8.0
apereo/opencast
< 7.6
org.opencastproject/opencast-kernel
0 - 7.6Maven
Published
Jan 30, 2020
Tracked Since
Feb 18, 2026