CVE-2025-61788
BaseFortify
Publication date: 2025-10-08
Last updated on: 2025-10-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apereo | opencast | to 17.8 (exc) |
| apereo | opencast | From 18.0 (inc) to 18.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61788 is a Cross-Site Scripting (XSS) vulnerability in the Opencast Paella Player. It occurs because certain user inputs, such as metadata fields like title and description, were included and rendered without proper filtering or sanitization. This allows attackers who have write access (for example, the ability to upload media and modify metadata) to inject malicious HTML and JavaScript into the player. When other users watch the affected media, the malicious code executes in their browsers, potentially allowing attackers to modify the site or perform actions as logged-in users. The vulnerability was fixed by changing how metadata is rendered, replacing unsafe HTML string interpolation with safe DOM element creation and property assignment to prevent injection attacks. [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with write access to inject malicious scripts into media metadata. These scripts execute in the browsers of users viewing the media, potentially enabling the attacker to modify the website's content or perform actions on behalf of logged-in users. This can lead to unauthorized actions, data manipulation, or compromise of user accounts. However, exploitation requires the attacker to have write access to the system, so unauthenticated users cannot exploit this vulnerability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves injection of malicious HTML and JavaScript into metadata fields (such as title, description) rendered by the Paella Player in Opencast versions prior to 17.8 and 18.2. Detection can be performed by inspecting metadata fields for suspicious or unexpected HTML/JavaScript content. Since exploitation requires write access, checking for unauthorized modifications or uploads of media and metadata is important. There are no specific commands provided in the resources, but you can audit metadata entries in your Opencast system database or API for suspicious tags or scripts. Additionally, monitoring HTTP responses serving media pages for injected scripts or unusual HTML in metadata fields can help detect exploitation. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Opencast to version 17.8 or 18.2 or later, where the vulnerability is fixed by sanitizing and securely rendering metadata fields to prevent injection. Until upgrading, restrict write access to trusted users only, as exploitation requires write permissions to upload or modify metadata. Additionally, review and sanitize existing metadata entries to remove any malicious content. Applying the security fix involves ensuring that metadata is rendered using safe DOM element creation rather than direct HTML interpolation, as implemented in the patches described. [1, 2]