CVE-2025-61788
📋 TL;DR
Opencast versions before 17.8 and 18.2 have a stored cross-site scripting (XSS) vulnerability where user-supplied metadata (like titles and descriptions) is rendered without proper sanitization in the paella player. This allows authenticated attackers with write access to inject malicious HTML/JavaScript that executes in other users' browsers when they view the media. Only users with write permissions (like content uploaders) can exploit this vulnerability.
💻 Affected Systems
- Opencast
📦 What is this software?
Opencast by Apereo
Opencast by Apereo
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as logged-in users (like modifying content or accessing sensitive data), or redirect users to malicious sites.
Likely Case
Attackers with legitimate write access could embed malicious scripts to hijack sessions or deface media pages for users viewing their content.
If Mitigated
With proper input validation and output encoding, the risk is eliminated; existing instances should be patched or sanitize user inputs.
🎯 Exploit Status
Exploitation requires authenticated write access to inject malicious metadata; the payload executes automatically when users view the media.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Opencast 17.8 or 18.2
Vendor Advisory: https://github.com/opencast/opencast/security/advisories/GHSA-m2vg-rmq6-p62r
Restart Required: No
Instructions:
1. Backup your Opencast instance. 2. Upgrade to Opencast 17.8 or 18.2. 3. Verify the fix by checking that user inputs are properly sanitized in the paella player.
🔧 Temporary Workarounds
Input Sanitization
allImplement server-side input validation and output encoding for all user-supplied metadata fields before rendering in the paella player.
🧯 If You Can't Patch
- Restrict write access to trusted users only, minimizing the attack surface.
- Implement a web application firewall (WAF) with XSS protection rules to block malicious payloads.
🔍 How to Verify
Check if Vulnerable:
Check if your Opencast version is below 17.8 or 18.2; test by uploading media with metadata containing HTML/JavaScript and see if it executes in the player.Check Version:
Check the Opencast admin interface or run the appropriate version command for your installation method (e.g., for Docker: docker inspect opencast | grep version).Verify Fix Applied:
After patching, test with the same payload; it should be displayed as plain text without execution.📡 Detection & Monitoring
Log Indicators:
- Unusual metadata updates with HTML/JavaScript patterns in user activity logs.
- Failed login attempts followed by metadata modifications if attackers gain write access.
Network Indicators:
- HTTP requests with suspicious payloads in metadata fields during media uploads.
SIEM Query:
source="opencast" AND (event="metadata_update" AND data CONTAINS "<script>" OR "javascript:")