Moderatelkiesow

**Name of the Vulnerable Software and Affected Versions** Opencast versions prior to 7.6 Opencast versions prior to 8.1 **Description** The issue allows users with the role `ROLE COURSE ADMIN` to create new users not including the role `ROLE ADMIN` using the "user-utils" endpoint. `ROLE COURSE ADMIN` is a non-standard role in Opencast, referenced only in the security configuration, and its name implies it should be for a specific course admin, not allowing user creation. This issue is fixed in versions 7.6 and 8.1, which ship a new default security configuration. **Recommendations** For Opencast versions prior to 7.6, update to version 7.6 or later. For Opencast versions prior to 8.1, update to version 8.1 or later. As a temporary workaround, consider removing all instances of `ROLE COURSE ADMIN` in your organization's security configuration (`etc/security/mh default org.xml` by default).