CVE-2020-5206

CRITICAL Year: 2020
CVSS v3 Score
10.0
Critical
CVSS v2 Score
6.4
Medium
Weakness Type
CWE-285
View all →

Vulnerability Description

In Opencast before 7.6 and 8.1, using a remember-me cookie with an arbitrary username can cause Opencast to assume proper authentication for that user even if the remember-me cookie was incorrect given that the attacked endpoint also allows anonymous access. This way, an attacker can, for example, fake a remember-me token, assume the identity of the global system administrator and request non-public content from the search service without ever providing any proper authentication. This problem is fixed in Opencast 7.6 and Opencast 8.1

Related Vulnerabilities

CVE-2021-31384

CRITICAL
CVSS:10.0(Critical)

Due to a Missing Authorization weakness and Insufficient Granularity of Access Control in a specific device configuration, a vulnerability exists in Juniper Networks Junos OS on SRX Series whereby an ...

CWE-2852021

CVE-2021-37705

CRITICAL
CVSS:10.0(Critical)

OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or greater, an incomplete authorization check allows an authenticated user from any Azure Active Direc...

CWE-2852021

CVE-2020-3374

CRITICAL
CVSS:9.9(Critical)

A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization, enabling them to access sensitive informat...

CWE-2852020

CVE-2025-29827

CRITICAL
CVSS:9.9(Critical)

Improper Authorization in Azure Automation allows an authorized attacker to elevate privileges over a network.

CWE-2852025

CVE-2015-3954

CRITICAL
CVSS:9.8(Critical)

Hospira Plum A+ Infusion System version 13.4 and prior, Plum A+3 Infusion System version 13.6 and prior, and Symbiq Infusion System, version 3.13 and prior give unauthenticated users root privileges o...

CWE-2852015