Login Sign Up

CVE-2025-61906

4.3 MEDIUM

📋 TL;DR

Opencast's editor may publish videos without user notification when users with write access click 'Save & Publish' then select 'Save' instead. This could accidentally expose internal media not intended for publication. Only affects Opencast users with event write access who use the editor interface.

💻 Affected Systems

Products:
  • Opencast
Versions: All versions prior to 17.8 and 18.2
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users with write access to events who use the editor interface.

📦 What is this software?

Opencast by Apereo

View all CVEs affecting Opencast →

Opencast by Apereo

View all CVEs affecting Opencast →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Internal or sensitive media accidentally published to public audiences, potentially violating privacy or confidentiality requirements.

🟠

Likely Case

Low impact accidental publication of non-sensitive media due to the specific user actions required and typical editor usage patterns.

🟢

If Mitigated

Minimal impact with proper user training and access controls limiting editor usage to trusted personnel.

🌐 Internet-Facing: LOW - Requires authenticated user with specific permissions and deliberate editor interaction.
🏢 Internal Only: LOW - Same authentication and permission requirements apply internally.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires authenticated user with write permissions, specific editor usage, and specific button sequence ('Save & Publish' then 'Save').

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Opencast 17.8 or 18.2

Vendor Advisory: https://github.com/opencast/opencast/security/advisories/GHSA-x6vw-p693-jjhv

Restart Required: No

Instructions:

1. Upgrade Opencast to version 17.8 or 18.2. 2. No service restart required. 3. Verify editor functionality post-upgrade.

🔧 Temporary Workarounds

Editor Access Restriction

all

Limit editor access to only trusted users who require publishing capabilities.

User Training

all

Train users to avoid clicking 'Save & Publish' unless intending to publish, and to use 'Save' only when not publishing.

🧯 If You Can't Patch

  • Implement strict access controls limiting editor usage to essential personnel only.
  • Monitor publishing logs for unusual activity and implement approval workflows for publications.

🔍 How to Verify

Check if Vulnerable:

Check Opencast version: if below 17.8 and not 18.2, system is vulnerable.

Check Version:

Check Opencast admin interface or configuration files for version number.

Verify Fix Applied:

Verify Opencast version is 17.8 or 18.2, then test editor functionality to ensure proper publish notifications.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected publish events from editor interface
  • Rapid sequence of save and publish actions

Network Indicators:

  • Increased publishing traffic from editor users

SIEM Query:

Search for 'publish' events from editor interface without corresponding user confirmation logs.

📊 Metadata

CVE ID: CVE-2025-61906
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
EPSS Score: 0.05% exploit probability (14.9th percentile)
Published: October 8, 2025
Last Updated: October 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61906, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)