Lukas Kalbertodt

**Name of the Vulnerable Software and Affected Versions** Opencast versions prior to 7.6 Opencast versions prior to 8.1 **Description** The issue allows an attacker to gain access to all servers that use the same credentials without needing the credentials, by exploiting a remember-me cookie based on a hash created from the `username`, `password`, and an additional system key. This means that if an attacker gets access to a remember-me token for one server, they can use it to access all other servers that allow log-in using the same credentials. The problem is caused by a hard-coded system key in the `etc/security/mh default org.xml` file, which is used by all Opencast systems. **Recommendations** For Opencast versions prior to 7.6, update to Opencast 7.6 to fix the issue. For Opencast versions prior to 8.1, update to Opencast 8.1 to fix the issue. As a temporary workaround for older versions, set a custom key for each server in the `etc/security/mh default org.xml` file, for example: ```xml <sec:remember-me key="CUSTOM RANDOM KEY" user-service-ref="userDetailsService" /> ```