Vulnerabilities > Apereo
|2021-02-18||CVE-2021-21318|| Incorrect Authorization vulnerability in Apereo Opencast |
Opencast is a free, open-source platform to support the management of educational audio and video content.
| 5.5 |
|2020-12-08||CVE-2020-26234|| Origin Validation Error vulnerability in Apereo Opencast |
Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests.
| 2.1 |
|2020-10-16||CVE-2020-27178|| Improper Authentication vulnerability in Apereo Central Authentication Service |
Apereo CAS 5.3.x before 5.3.16, 6.x before 22.214.171.124, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication.
| 5.0 |
|2020-01-30||CVE-2020-5231|| Incorrect Default Permissions vulnerability in Apereo Opencast |
In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN.
| 4.0 |
|2020-01-30||CVE-2020-5206|| Improper Authentication vulnerability in Apereo Opencast |
In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access.
| 6.4 |
|2020-01-30||CVE-2020-5230|| Injection vulnerability in Apereo Opencast |
Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used.
| 5.0 |
|2020-01-30||CVE-2020-5222|| USE of Hard-Coded Credentials vulnerability in Apereo Opencast |
Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key.
| 6.5 |
|2020-01-30||CVE-2020-5229|| USE of A Broken OR Risky Cryptographic Algorithm vulnerability in Apereo Opencast |
Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm.
| 5.5 |
|2020-01-30||CVE-2020-5228|| Missing Authorization vulnerability in Apereo Opencast |
Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH.
| 5.0 |
|2020-01-24||CVE-2014-4172|| Injection vulnerability in multiple products |
A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.
| 7.5 |