Fkt

**Name of the Vulnerable Software and Affected Versions** OpenOlat versions prior to 19.1.31 OpenOlat versions prior to 20.1.18 OpenOlat versions prior to 20.2.5 **Description** OpenOlat is a web-based e-learning platform. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role could inject Velocity directives into a reminder email template. When the reminder is processed, the injected directives are evaluated server-side. By chaining Velocity's #set directive with Java reflection, an attacker can instantiate arbitrary Java classes, such as `java.lang.ProcessBuilder`, and execute operating system commands with the privileges of the Tomcat process. The `ProcessBuilder` class is a Java class used to create operating system processes. **Recommendations** Update OpenOlat to version 19.1.31 or later. Update OpenOlat to version 20.1.18 or later. Update OpenOlat to version 20.2.5 or later.

**Name of the Vulnerable Software and Affected Versions** OpenOlat versions 10.5.4 through 20.2.4 **Description** OpenOlat is a web-based e-learning platform. The OpenID Connect implicit flow implementation does not verify JSON Web Token (JWT) signatures. The `JSONWebToken.parse()` method discards the signature segment of the JWT, and the `getAccessToken()` methods in `OpenIdConnectApi` and `OpenIdConnectFullConfigurableApi` only validate claim-level fields without cryptographic signature verification against the Identity Provider's JWKS endpoint. This allows an attacker to craft any token and claim any identity, potentially gaining control of the entire e-learning platform. **Recommendations** Update OpenOlat to version 20.2.5.