Opencast
by Opencast
Source repositories
CVEs (19)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-1000217 | Hig | 0.50 | 8.8 | 0.02 | Nov 17, 2017 | Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media module resulting in arbitrary code execution, fixed in 2.3.3 and 3.0. | ||
| CVE-2025-61906 | 0.00 | — | 0.00 | Oct 8, 2025 | Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, in some situations, Opencast's editor may publish a video without notifying the user. This may lead to users accidentally publishing media… | |||
| CVE-2025-61788 | 0.00 | — | 0.00 | Oct 8, 2025 | Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified. The vulnerability… | |||
| CVE-2025-55202 | 0.00 | — | 0.00 | Aug 29, 2025 | Opencast is a free, open-source platform to support the management of educational audio and video content. In version 18.0 and versions before 17.7, the protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in… | |||
| CVE-2025-54380 | 0.00 | — | 0.00 | Jul 26, 2025 | Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and… | |||
| CVE-2024-52797 | 0.00 | — | 0.01 | Nov 21, 2024 | Opencast is free and open source software for automated video capture and distribution. First noticed in Opencast 13 and 14, Opencast's Elasticsearch integration may generate syntactically invalid Elasticsearch queries in relation to previously acceptable search queries. From… | |||
| CVE-2022-41965 | 0.00 | — | 0.00 | Nov 28, 2022 | Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 12.5, Opencast's Paella authentication page could be used to redirect to an arbitrary URL for authenticated users. The vulnerability allows attackers to… | |||
| CVE-2022-29237 | 0.00 | — | 0.01 | May 24, 2022 | Opencast is a free and open source solution for automated video capture and distribution at scale. Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current… | |||
| CVE-2021-43821 | 0.00 | — | 0.02 | Dec 14, 2021 | Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available… | |||
| CVE-2021-43807 | 0.00 | — | 0.01 | Dec 14, 2021 | Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP… | |||
| CVE-2021-32623 | 0.00 | — | 0.01 | Jun 15, 2021 | Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially… | |||
| CVE-2021-21318 | 0.00 | — | 0.01 | Feb 18, 2021 | Opencast is a free, open-source platform to support the management of educational audio and video content. In Opencast before version 9.2 there is a vulnerability in which publishing an episode with strict access rules will overwrite the currently set series access. This allows… | |||
| CVE-2020-26234 | 0.00 | — | 0.00 | Dec 8, 2020 | Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host.… | |||
| CVE-2020-5206 | 0.00 | — | 0.01 | Jan 30, 2020 | In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an… | |||
| CVE-2020-5231 | 0.00 | — | 0.01 | Jan 30, 2020 | In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code… | |||
| CVE-2020-5230 | 0.00 | — | 0.01 | Jan 30, 2020 | Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape… | |||
| CVE-2020-5222 | 0.00 | — | 0.01 | Jan 30, 2020 | Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the… | |||
| CVE-2020-5229 | 0.00 | — | 0.01 | Jan 30, 2020 | Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is… | |||
| CVE-2020-5228 | 0.00 | — | 0.01 | Jan 30, 2020 | Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly… |
- risk 0.50cvss 8.8epss 0.02
Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media module resulting in arbitrary code execution, fixed in 2.3.3 and 3.0.
- CVE-2025-61906Oct 8, 2025risk 0.00cvss —epss 0.00
Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, in some situations, Opencast's editor may publish a video without notifying the user. This may lead to users accidentally publishing media…
- CVE-2025-61788Oct 8, 2025risk 0.00cvss —epss 0.00
Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified. The vulnerability…
- CVE-2025-55202Aug 29, 2025risk 0.00cvss —epss 0.00
Opencast is a free, open-source platform to support the management of educational audio and video content. In version 18.0 and versions before 17.7, the protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in…
- CVE-2025-54380Jul 26, 2025risk 0.00cvss —epss 0.00
Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and…
- CVE-2024-52797Nov 21, 2024risk 0.00cvss —epss 0.01
Opencast is free and open source software for automated video capture and distribution. First noticed in Opencast 13 and 14, Opencast's Elasticsearch integration may generate syntactically invalid Elasticsearch queries in relation to previously acceptable search queries. From…
- CVE-2022-41965Nov 28, 2022risk 0.00cvss —epss 0.00
Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 12.5, Opencast's Paella authentication page could be used to redirect to an arbitrary URL for authenticated users. The vulnerability allows attackers to…
- CVE-2022-29237May 24, 2022risk 0.00cvss —epss 0.01
Opencast is a free and open source solution for automated video capture and distribution at scale. Prior to Opencast 10.14 and 11.7, users could pass along URLs for files belonging to organizations other than the user's own, which Opencast would then import into the current…
- CVE-2021-43821Dec 14, 2021risk 0.00cvss —epss 0.02
Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast before version 9.10 or 10.6 allows references to local file URLs in ingested media packages, allowing attackers to include local files from Opencast's host machines and making them available…
- CVE-2021-43807Dec 14, 2021risk 0.00cvss —epss 0.01
Opencast is an Open Source Lecture Capture & Video Management for Education. Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP…
- CVE-2021-32623Jun 15, 2021risk 0.00cvss —epss 0.01
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially…
- CVE-2021-21318Feb 18, 2021risk 0.00cvss —epss 0.01
Opencast is a free, open-source platform to support the management of educational audio and video content. In Opencast before version 9.2 there is a vulnerability in which publishing an episode with strict access rules will overwrite the currently set series access. This allows…
- CVE-2020-26234Dec 8, 2020risk 0.00cvss —epss 0.00
Opencast before versions 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host.…
- CVE-2020-5206Jan 30, 2020risk 0.00cvss —epss 0.01
In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an…
- CVE-2020-5231Jan 30, 2020risk 0.00cvss —epss 0.01
In Opencast before 7.6 and 8.1, users with the role ROLE_COURSE_ADMIN can use the user-utils endpoint to create new users not including the role ROLE_ADMIN. ROLE_COURSE_ADMIN is a non-standard role in Opencast which is referenced neither in the documentation nor in any code…
- CVE-2020-5230Jan 30, 2020risk 0.00cvss —epss 0.01
Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape…
- CVE-2020-5222Jan 30, 2020risk 0.00cvss —epss 0.01
Opencast before 7.6 and 8.1 enables a remember-me cookie based on a hash created from the username, password, and an additional system key. This means that an attacker getting access to a remember-me token for one server can get access to all servers which allow log-in using the…
- CVE-2020-5229Jan 30, 2020risk 0.00cvss —epss 0.01
Opencast before 8.1 stores passwords using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is…
- CVE-2020-5228Jan 30, 2020risk 0.00cvss —epss 0.01
Opencast before 8.1 and 7.6 allows unauthorized public access to all media and metadata by default via OAI-PMH. OAI-PMH is part of the default workflow and is activated by default, requiring active user intervention of users to protect media. This leads to users unknowingly…