cvelistv5 - cve-2025-61788

CVE-2025-61788 (GCVE-0-2025-61788)

Vulnerability from cvelistv5 – Published: 2025-10-08 18:03 – Updated: 2025-10-08 18:26

Summary

Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified. The vulnerability allows attackers to inject and malicious HTML and JavaScript in the player, which would then be executed in the browsers of users watching the prepared media. This can then be used to modify the site or to execute actions in the name of logged-in users. To inject malicious metadata, an attacker needs write access to the system. For example, the ability to upload media and modify metadata. This cannot be exploited by unauthenticated users. This issue is fixed in Opencast 17.8 and 18.2.

Severity ?

5.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/opencast/opencast/security/adv…	x_refsource_CONFIRM
	https://github.com/opencast/opencast/commit/28095…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	opencast	opencast	Affected: < 17.8 Affected: >= 18.0, < 18.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-61788",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-08T18:26:03.593427Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-08T18:26:13.505Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "opencast",
          "vendor": "opencast",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 17.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 18.0, \u003c 18.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified. The vulnerability allows attackers to inject and malicious HTML and JavaScript in the player, which would then be executed in the browsers of users watching the prepared media. This can then be used to modify the site or to execute actions in the name of logged-in users. To inject malicious metadata, an attacker needs write access to the system. For example, the ability to upload media and modify metadata. This cannot be exploited by unauthenticated users. This issue is fixed in Opencast 17.8 and 18.2."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-08T18:03:22.518Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/opencast/opencast/security/advisories/GHSA-m2vg-rmq6-p62r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/opencast/opencast/security/advisories/GHSA-m2vg-rmq6-p62r"
        },
        {
          "name": "https://github.com/opencast/opencast/commit/2809520fa88d108d8104c760f00c10bad42c14f9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/opencast/opencast/commit/2809520fa88d108d8104c760f00c10bad42c14f9"
        }
      ],
      "source": {
        "advisory": "GHSA-m2vg-rmq6-p62r",
        "discovery": "UNKNOWN"
      },
      "title": "Opencast Paella Player 7 vulnerable to Cross-Site-Scripting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-61788",
    "datePublished": "2025-10-08T18:03:22.518Z",
    "dateReserved": "2025-09-30T19:43:49.903Z",
    "dateUpdated": "2025-10-08T18:26:13.505Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-61788\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-10-08T18:15:35.407\",\"lastModified\":\"2025-10-09T16:00:05.127\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified. The vulnerability allows attackers to inject and malicious HTML and JavaScript in the player, which would then be executed in the browsers of users watching the prepared media. This can then be used to modify the site or to execute actions in the name of logged-in users. To inject malicious metadata, an attacker needs write access to the system. For example, the ability to upload media and modify metadata. This cannot be exploited by unauthenticated users. This issue is fixed in Opencast 17.8 and 18.2.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"17.8\",\"matchCriteriaId\":\"4985831C-8FF6-4CC4-AFD9-1DCAD7888B5E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"18.0\",\"versionEndExcluding\":\"18.2\",\"matchCriteriaId\":\"33B836FD-FD4C-4FC2-9844-EF0DF0D4EB0D\"}]}]}],\"references\":[{\"url\":\"https://github.com/opencast/opencast/commit/2809520fa88d108d8104c760f00c10bad42c14f9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/opencast/opencast/security/advisories/GHSA-m2vg-rmq6-p62r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-61788\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-10-08T18:26:03.593427Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-10-08T18:26:06.562Z\"}}], \"cna\": {\"title\": \"Opencast Paella Player 7 vulnerable to Cross-Site-Scripting\", \"source\": {\"advisory\": \"GHSA-m2vg-rmq6-p62r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"opencast\", \"product\": \"opencast\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 17.8\"}, {\"status\": \"affected\", \"version\": \"\u003e= 18.0, \u003c 18.2\"}]}], \"references\": [{\"url\": \"https://github.com/opencast/opencast/security/advisories/GHSA-m2vg-rmq6-p62r\", \"name\": \"https://github.com/opencast/opencast/security/advisories/GHSA-m2vg-rmq6-p62r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/opencast/opencast/commit/2809520fa88d108d8104c760f00c10bad42c14f9\", \"name\": \"https://github.com/opencast/opencast/commit/2809520fa88d108d8104c760f00c10bad42c14f9\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified. The vulnerability allows attackers to inject and malicious HTML and JavaScript in the player, which would then be executed in the browsers of users watching the prepared media. This can then be used to modify the site or to execute actions in the name of logged-in users. To inject malicious metadata, an attacker needs write access to the system. For example, the ability to upload media and modify metadata. This cannot be exploited by unauthenticated users. This issue is fixed in Opencast 17.8 and 18.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-10-08T18:03:22.518Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-61788\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-08T18:26:13.505Z\", \"dateReserved\": \"2025-09-30T19:43:49.903Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-10-08T18:03:22.518Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-M2VG-RMQ6-P62R

Vulnerability from github – Published: 2025-10-08 20:33 – Updated: 2025-10-13 15:39

Summary

Opencast's Paella Player 7 is vulnerable to Cross-Site Scripting

Details

Prior to Opencast 17.8 and 18.2 the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified.

Impact

The vulnerability allows attackers to inject and malicious HTML and JavaScript in the player, which would then be executed in the browsers of users watching the prepared media. This can then be used to modify the site or to execute actions in the name of logged-in users.

To inject malicious metadata, an attacker needs write access to the system. For example, the ability to upload media and modify metadata. This cannot be exploited by unauthenticated users.

Patches

This issue is fixed in Opencast 17.8 and 18.2, however they are not published to the Maven registry.

Resources

Patch fixing the issue

For more information

If you have any questions or comments about this advisory: * Open an issue in our issue tracker * Email us at security@opencast.org

Severity ?

5.4 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

5.1 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.opencastproject:opencast-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "16.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61788"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-08T20:33:31Z",
    "nvd_published_at": "2025-10-08T18:15:35Z",
    "severity": "MODERATE"
  },
  "details": "Prior to Opencast 17.8 and 18.2 the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified.\n\n### Impact\n\nThe vulnerability allows attackers to inject and malicious HTML and JavaScript in the player, which would then be executed in the browsers of users watching the prepared media. This can then be used to modify the site or to execute actions in the name of logged-in users.\n\nTo inject malicious metadata, an attacker needs write access to the system. For example, the ability to upload media and modify metadata. This cannot be exploited by unauthenticated users.\n\n### Patches\n\nThis issue is fixed in Opencast 17.8 and 18.2, however they are not published to the Maven registry.\n\n### Resources\n\n- [Patch fixing the issue](https://github.com/opencast/opencast/commit/2809520fa88d108d8104c760f00c10bad42c14f9)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [our issue tracker](https://github.com/opencast/opencast/issues)\n* Email us at [security@opencast.org](mailto:security@opencast.org)",
  "id": "GHSA-m2vg-rmq6-p62r",
  "modified": "2025-10-13T15:39:38Z",
  "published": "2025-10-08T20:33:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-m2vg-rmq6-p62r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61788"
    },
    {
      "type": "WEB",
      "url": "https://github.com/opencast/opencast/commit/2809520fa88d108d8104c760f00c10bad42c14f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/opencast/opencast"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Opencast\u0027s Paella Player 7 is vulnerable to Cross-Site Scripting"
}

FKIE_CVE-2025-61788

Vulnerability from fkie_nvd - Published: 2025-10-08 18:15 - Updated: 2025-10-09 16:00

Severity ?

5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/opencast/opencast/commit/2809520fa88d108d8104c760f00c10bad42c14f9	Patch
	security-advisories@github.com	https://github.com/opencast/opencast/security/advisories/GHSA-m2vg-rmq6-p62r	Vendor Advisory

Impacted products

	Vendor	Product	Version
	apereo	opencast	*
	apereo	opencast	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4985831C-8FF6-4CC4-AFD9-1DCAD7888B5E",
              "versionEndExcluding": "17.8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "33B836FD-FD4C-4FC2-9844-EF0DF0D4EB0D",
              "versionEndExcluding": "18.2",
              "versionStartIncluding": "18.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, the paella would include and render some user inputs (metadata like title, description, etc.) unfiltered and unmodified. The vulnerability allows attackers to inject and malicious HTML and JavaScript in the player, which would then be executed in the browsers of users watching the prepared media. This can then be used to modify the site or to execute actions in the name of logged-in users. To inject malicious metadata, an attacker needs write access to the system. For example, the ability to upload media and modify metadata. This cannot be exploited by unauthenticated users. This issue is fixed in Opencast 17.8 and 18.2."
    }
  ],
  "id": "CVE-2025-61788",
  "lastModified": "2025-10-09T16:00:05.127",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 5.1,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "LOW",
          "subIntegrityImpact": "LOW",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-10-08T18:15:35.407",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/opencast/opencast/commit/2809520fa88d108d8104c760f00c10bad42c14f9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/opencast/opencast/security/advisories/GHSA-m2vg-rmq6-p62r"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

CNVD-2025-24641

Vulnerability from cnvd - Published: 2025-10-23

Title

Opencast跨站脚本漏洞

Description

Opencast是Opencast组织的一款用于大规模自动视频捕获，管理和分发的直播视频支撑软件。 Opencast存在跨站脚本漏洞，该漏洞源于应用对用户提供的数据缺乏有效过滤与转义，攻击者可利用该漏洞通过注入精心设计的有效载荷执行任意Web脚本或HTML。

Severity

中

Patch Name

Opencast跨站脚本漏洞的补丁

Patch Description

Opencast是Opencast组织的一款用于大规模自动视频捕获，管理和分发的直播视频支撑软件。 Opencast存在跨站脚本漏洞，该漏洞源于应用对用户提供的数据缺乏有效过滤与转义，攻击者可利用该漏洞通过注入精心设计的有效载荷执行任意Web脚本或HTML。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://opencast.org/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-61788

Impacted products

Name
['Opencast Opencast <17.8', 'Opencast Opencast <18.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-61788",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-61788"
    }
  },
  "description": "Opencast\u662fOpencast\u7ec4\u7ec7\u7684\u4e00\u6b3e\u7528\u4e8e\u5927\u89c4\u6a21\u81ea\u52a8\u89c6\u9891\u6355\u83b7\uff0c\u7ba1\u7406\u548c\u5206\u53d1\u7684\u76f4\u64ad\u89c6\u9891\u652f\u6491\u8f6f\u4ef6\u3002\n\nOpencast\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u7f3a\u4e4f\u6709\u6548\u8fc7\u6ee4\u4e0e\u8f6c\u4e49\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u6ce8\u5165\u7cbe\u5fc3\u8bbe\u8ba1\u7684\u6709\u6548\u8f7d\u8377\u6267\u884c\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://opencast.org/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-24641",
  "openTime": "2025-10-23",
  "patchDescription": "Opencast\u662fOpencast\u7ec4\u7ec7\u7684\u4e00\u6b3e\u7528\u4e8e\u5927\u89c4\u6a21\u81ea\u52a8\u89c6\u9891\u6355\u83b7\uff0c\u7ba1\u7406\u548c\u5206\u53d1\u7684\u76f4\u64ad\u89c6\u9891\u652f\u6491\u8f6f\u4ef6\u3002\r\n\r\nOpencast\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u5bf9\u7528\u6237\u63d0\u4f9b\u7684\u6570\u636e\u7f3a\u4e4f\u6709\u6548\u8fc7\u6ee4\u4e0e\u8f6c\u4e49\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u6ce8\u5165\u7cbe\u5fc3\u8bbe\u8ba1\u7684\u6709\u6548\u8f7d\u8377\u6267\u884c\u4efb\u610fWeb\u811a\u672c\u6216HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Opencast\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Opencast Opencast \u003c17.8",
      "Opencast Opencast \u003c18.2"
    ]
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-61788",
  "serverity": "\u4e2d",
  "submitTime": "2025-10-21",
  "title": "Opencast\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-61788 (GCVE-0-2025-61788)

GHSA-M2VG-RMQ6-P62R

Impact

Patches

Resources

For more information

FKIE_CVE-2025-61788

CNVD-2025-24641

Tags

Sightings

Nomenclature