CVE-2025-61906
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-08

Last updated on: 2025-10-09

Assigner: GitHub, Inc.

Description
Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, in some situations, Opencast's editor may publish a video without notifying the user. This may lead to users accidentally publishing media not meant for publishing, and thus possibly exposing internal media. This risk of this actually impacting someone is very low, though. This can only be triggered by users with write access to an event. They also have to use the editor, which is usually an action taken if they want to publish media and not something users would use on internal media they do not want to publish. Finally, they have to first click on "Save & Publish" before then selecting the "Save" option. Nevertheless, while very unlikely, this can happen. This issue is fixed in Opencast 17.8 and 18.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-08
Last Modified
2025-10-09
Generated
2026-05-06
AI Q&A
2025-10-08
EPSS Evaluated
2026-05-05
NVD
CVE-2025-61906
EUVD
EUVD-2025-33323
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apereo opencast to 17.8 (exc)
apereo opencast From 18.0 (inc) to 18.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Opencast versions prior to 17.8 and 18.2 causes the editor to accidentally publish videos without notifying the user. It happens when a user with write access to an event uses the editor and first clicks "Save & Publish" then selects the "Save" option. This sequence can unintentionally trigger the publishing workflow, leading to media being published that the user did not intend to publish. [2, 3]


How can this vulnerability impact me? :

The vulnerability can lead to accidental publishing of internal or sensitive media, potentially exposing content that was not meant to be public. Users may also get stuck in the editor with messages indicating the event is being processed, which affects usability and can cause further errors if changes continue during this state. [2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is related to the Opencast editor unintentionally publishing videos during specific user actions in the editor interface. Detection involves monitoring user actions in the Opencast editor, especially sequences where a user with write access clicks "Save & Publish" followed by "Save". There are no specific network or system commands provided to detect this vulnerability automatically. Instead, detection relies on reviewing user activity logs or audit trails within the Opencast system to identify unintended publish workflows being triggered. [2, 3]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, upgrade Opencast to version 17.8 or 18.2 or later, where the issue is fixed. The fix introduces explicit control over workflow initiation during saving operations, preventing accidental publishing. Until upgrading, restrict write access to trusted users only and educate users about the specific sequence of actions that can trigger accidental publishing to avoid unintentional exposure of media. [1, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart