CVE-2020-5206 HIGH

CVE-2020-5206: Authentication Bypass For Endpoints With Anonymous Access in OpenCast

Vendor Opencast
Product opencast
Weakness CWE-285
Published January 30, 2020
Last update August 4, 2024
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1

Key dates

02Disclosure timeline

January 30, 2020 CVE published
August 4, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-11521 Astra Security Suite – Firewall & Malware Scan <= 0.2 - Unauthenticated Arbitrary File Upload CVE-2021-42336 Huachu Digital Technology Co.,Ltd. Easytest - Improper Authorization CVE-2025-43585 Adobe Commerce | Improper Authorization (CWE-285) CVE-2024-2317 Bdtask Hospital AutoManager Prescription Page improper authorization CVE-2025-12777 YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Wishlist Token Disclosure to Wishlist Item Deletion