SB2026042394 - Multiple vulnerabilities in Opencast

Description

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2025-61906)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper workflow handling in the editor when processing save and publish actions. A remote user can trigger unintended publication of media to disclose sensitive information.

Exploitation requires write access to an event and user interaction in the editor, specifically clicking "Save & Publish" before selecting the "Save" option.

2) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-61788)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in a user's browser.

The vulnerability exists due to improper neutralization of script-related html tags in paella player 7 when rendering user-supplied metadata. A remote user can inject malicious html and javascript into metadata fields to execute arbitrary script in a user's browser.

Exploitation requires write access to the system, such as the ability to upload media and modify metadata.

Remediation

Install update from vendor's website.

References

• https://github.com/opencast/opencast/security/advisories/GHSA-x6vw-p693-jjhv
• https://github.com/advisories/GHSA-x6vw-p693-jjhv
• https://github.com/opencast/opencast/security/advisories/GHSA-m2vg-rmq6-p62r
• https://github.com/advisories/GHSA-m2vg-rmq6-p62r