Lowlkiesow

**Name of the Vulnerable Software and Affected Versions** Opencast versions prior to 9.2 **Description** The issue affects Opencast, a free, open-source platform for managing educational audio and video content. In affected versions, publishing an episode with strict access rules overwrites the currently set series access, allowing for easy denial of access for all users without superuser privileges and effectively hiding the series. Access to series and series metadata on the search service depends on the events published, which are part of the series. However, affected versions of Opencast may not update the series access or remove a published series if an event is being removed, leading to inconsistent access control lists or series metadata still being available after all episodes have been removed. **Recommendations** For Opencast versions prior to 9.2, update to version 9.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Opencast versions prior to 8.1 **Description** The issue concerns the use of the outdated and cryptographically insecure MD5 hash algorithm for storing passwords. The hashes are salted using the username instead of a random salt, which can cause collisions for users with the same username and password. This could allow an attacker to reconstruct a user's password if they gain access to the database where the hashes are stored. The problem is addressed in Opencast 8.1, which now uses the stronger bcrypt password hashing algorithm. Note that old hashes remain MD5 until the password is updated. The `/user-utils/users/md5.json` API endpoint can be used to identify users whose password hashes are stored using MD5. **Recommendations** For Opencast versions prior to 8.1, update to version 8.1 to address the issue. As a temporary workaround, consider restricting access to the database where password hashes are stored to minimize the risk of exploitation. Additionally, users can update their passwords to switch from MD5 to the stronger bcrypt hashing algorithm.