CVE-2021-43807

Name of the Vulnerable Software and Affected Versions: Opencast versions prior to 9.10

Description: Opencast is an Open Source Lecture Capture & Video Management for Education. The issue allows HTTP method spoofing via URL parameter, enabling attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions on these types of requests and aids in cross-site request forgery (CSRF) attacks. Attackers can craft links or forms that change the server state. For example, a GET request can create a new user. If an admin is logged in and accidentally clicks a malicious link, a user will silently be created.

Recommendations: To resolve the issue, update to Opencast 9.10 or 10.0. As a temporary workaround, consider setting the SameSite=Strict attribute for your cookies, if this is a viable option for your integrations.