Miggo Logo
Miggo Vulnerability Database
CVE-2025-61788

CVE-2025-61788: Opencast's Paella Player 7 is vulnerable to Cross-Site Scripting

N/A

CVSS Score

Basic Information

CVE ID
CVE-2025-61788
GHSA ID
GHSA-m2vg-rmq6-p62r
EPSS Score
-
CWE
CWE-79
Published
10/8/2025
Updated
10/8/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.opencastproject:opencast-commonmaven<= 16.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a classic stored Cross-Site Scripting (XSS) issue within the Paella Player plugins of Opencast. The root cause is the unsafe rendering of user-provided metadata. The investigation of the patch commit 2809520fa88d108d8104c760f00c10bad42c14f9 confirms this. In multiple plugins, the getContent method was responsible for generating HTML to be displayed in the player UI. These methods used JavaScript template literals to directly embed metadata values (like title, description, series name, etc.) into HTML strings. An attacker with permissions to edit event metadata could save malicious HTML/JavaScript content in these fields.

The patch systematically resolves this issue by refactoring the code to first create static HTML templates and then populate the dynamic data using safe properties like .innerText or .textContent. This ensures that any user-provided data is treated as plain text and not interpreted as HTML by the browser, thus neutralizing the XSS vector. The identified vulnerable functions are all named getContent within their respective plugin classes, as this is where the unsafe HTML generation occurred. Any of these functions would appear in a runtime profile or stack trace during the exploitation of this vulnerability when the corresponding UI element (e.g., description pop-up, downloads list) is rendered.

Vulnerable functions

DescriptionPlugin.getContent
modules/engage-paella-player-7/src/plugins/org.opencast.paella.descriptionPlugin.js
The function constructs HTML for the description pop-up by directly embedding metadata fields like title, description, presenters, etc., into an HTML string using template literals. An attacker with write access can inject malicious HTML and JavaScript into these metadata fields, which will then be executed in the browser of any user viewing the media.
DownloadsPlugin.getContent
modules/engage-paella-player-7/src/plugins/org.opencast.paella.downloadsPlugin.js
The function generates download links for media. It was vulnerable because it directly embedded metadata, such as resolution or mimetype information (`meta`, `d.mimetype`), into the HTML structure. This could be exploited if an attacker can manipulate the metadata associated with downloadable files, leading to XSS when a user opens the downloads pop-up.
EpisodesFromSeriesPlugin.getContent
modules/engage-paella-player-7/src/plugins/org.opencast.paella.episodesFromSeries.js
This function displays other episodes from the same series. It was vulnerable because it used the episode title (`dcTitle`) directly in the generated HTML for the episode list. An attacker could set a malicious episode title, causing arbitrary HTML and script to be executed in the context of the user viewing the series list.
TranscriptionsPlugin.getContent
modules/engage-paella-player-7/src/plugins/org.opencast.paella.transcriptionsPlugin.js
The function displays transcriptions for the video. It was vulnerable to XSS because it directly embedded the transcription text (`t.text`) into the HTML. If an attacker could provide a malicious transcription, the injected code would execute when a user views the transcriptions.
OpencastPaellaVersionPlugin.getContent
modules/engage-paella-player-7/src/plugins/org.opencast.paella.versionButton.js
This function displays version information about the player and its plugins. While less likely to be user-controlled, the patch indicates that data being rendered was considered untrusted. The function was vulnerable because it directly embedded version strings into the HTML, which could lead to XSS if this data could be manipulated by an attacker.

WAF Protection Rules

WAF Rule

Prior to Op*n**st **.* *n* **.* t** p**ll* woul* in*lu** *n* r*n**r som* us*r inputs (m*t***t* lik* titl*, **s*ription, *t*.) un*ilt*r** *n* unmo*i*i**. ### Imp**t T** vuln*r**ility *llows *tt**k*rs to inj**t *n* m*li*ious *TML *n* J*v*S*ript in t*

Reasoning

T** vuln*r**ility is * *l*ssi* stor** *ross-Sit* S*riptin* (XSS) issu* wit*in t** P**ll* Pl*y*r plu*ins o* Op*n**st. T** root **us* is t** uns*** r*n**rin* o* us*r-provi*** m*t***t*. T** inv*sti**tion o* t** p*t** *ommit `****************************