Lkiesow

**Name of the Vulnerable Software and Affected Versions** Opencast versions prior to 17.8 Opencast versions prior to 18.2 **Description** Opencast is a platform for managing educational audio and video content. In certain scenarios, prior to versions 17.8 and 18.2, the editor could publish a video without user notification. This could result in the accidental publication of internal media, potentially exposing it. The likelihood of this occurring is considered very low, requiring users with write access to an event to use the editor and specifically click "Save & Publish" before selecting "Save". **Recommendations** Update to Opencast version 17.8 or later. Update to Opencast version 18.2 or later.

**Name of the Vulnerable Software and Affected Versions** Opencast versions prior to 10.14 and 11.7 **Description** Opencast is a free and open source solution for automated video capture and distribution at scale. Prior to versions 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current organization, bypassing organizational barriers. Attackers must have full access to Opencast's ingest REST interface, and also know internal links to resources in another organization of the same Opencast cluster. Users who do not run a multi-tenant cluster are not affected by this issue. **Recommendations** For Opencast versions prior to 10.14, update to version 10.14 or later. For Opencast versions prior to 11.7, update to version 11.7 or later. As a temporary workaround, consider restricting access to Opencast's ingest REST interface until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Opencast versions prior to 9.10 Description: Opencast is an Open Source Lecture Capture & Video Management for Education. The issue allows HTTP method spoofing via URL parameter, enabling attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions on these types of requests and aids in cross-site request forgery (CSRF) attacks. Attackers can craft links or forms that change the server state. For example, a GET request can create a new user. If an admin is logged in and accidentally clicks a malicious link, a user will silently be created. Recommendations: To resolve the issue, update to Opencast 9.10 or 10.0. As a temporary workaround, consider setting the `SameSite=Strict` attribute for your cookies, if this is a viable option for your integrations.

**Name of the Vulnerable Software and Affected Versions** Opencast versions prior to 17.6 **Description** Opencast incorrectly sent hashed global system account credentials (`org.opencastproject.security.digest.user` and `org.opencastproject.security.digest.pass`) when fetching mediapackage elements included in a mediapackage XML file. Individuals with ingest permissions could cause Opencast to send these credentials to a URL of their choosing. A previous issue prevented some instances of this, but not all. **Recommendations** Upgrade to Opencast version 17.6 or later.

**Name of the Vulnerable Software and Affected Versions** Opencast versions prior to 9.6 **Description** Opencast is vulnerable to the billion laughs attack, which allows an attacker to easily execute a denial of service attack, essentially taking down Opencast using a single HTTP request. To exploit this, users need to have ingest privileges, limiting the group of potential attackers. The attack can be executed by sending a crafted XML file, such as `createMediaPackage.xml`, to an endpoint accepting XML, like `/ingestdownload/ingestdownload`. This causes Opencast to parse the XML and expand the content, consuming a huge amount of memory. **Recommendations** To resolve the issue, update to Opencast version 9.6 or later. As a temporary workaround, consider restricting access to the ingest functionality to minimize the risk of exploitation. Avoid using endpoints that accept XML, such as `/ingestdownload/ingestdownload`, until the issue is resolved. There is no known workaround for this issue.

**Name of the Vulnerable Software and Affected Versions** Opencast versions prior to 7.6 Opencast versions prior to 8.1 **Description** Using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. **Recommendations** For Opencast versions prior to 7.6, update to Opencast 7.6 to fix the issue. For Opencast versions prior to 8.1, update to Opencast 8.1 to fix the issue. As a temporary workaround for older, unpatched versions, consider disabling remember-me cookies in etc/security/mh default org.xml by removing the line <sec:remember-me … /> to mitigate the problem.

**Name of the Vulnerable Software and Affected Versions** Opencast versions prior to 7.6 Opencast versions prior to 8.1 **Description** The issue allows almost arbitrary identifiers for media packages and elements to be used, which can be problematic for operation and security. This is because such identifiers are sometimes used for file system operations, which may lead to an attacker being able to escape working directories and write files to other locations. Additionally, Opencast's `Id.toString()` vs `Id.compact()` behavior can cause errors due to identifier mismatch since an identifier may unintentionally change. **Recommendations** For Opencast versions prior to 7.6, update to version 7.6 or later to resolve the issue. For Opencast versions prior to 8.1, update to version 8.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of arbitrary identifiers for media packages and elements to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** python feedgen versions prior to 0.9.0 **Description** The feedgen library is susceptible to XML Denial of Service attacks when supplying XML as content for some fields, which can be parsed and integrated into the existing XML tree. This becomes a concern if feedgen is used to include content from untrusted sources and if XML is directly included instead of providing plain text content only. **Recommendations** For versions prior to 0.9.0, update to feedgen 0.9.0, which disallows XML entity expansion and external resources. As a temporary workaround, avoid providing XML directly to feedgen or ensure that no entity expansion is part of the XML.