Listen to this Post
The CVE-2025-45404 vulnerability in Opencast’s Paella Player stems from improper neutralization of user-controlled input before its inclusion in the rendered web page. Specifically, the player fails to adequately sanitize user-supplied metadata fields, such as the and description of a video, when displaying them. An attacker with the ability to upload media and modify this metadata can inject malicious HTML and JavaScript code. When a legitimate user views the video containing the malicious metadata, the injected payload is executed within the context of the user’s browser session. This execution occurs because the application treats the unsanitized input as trusted HTML markup rather than plain text, allowing for client-side code injection. The impact is limited to authenticated users who have write access to modify media metadata, preventing exploitation by unauthenticated parties.
Platform: Opencast
Version: <= 16.10
Vulnerability : Cross-Site Scripting
Severity: Moderate
date: 2025-10-08
Prediction: Patch available
What Undercode Say:
Example of a malicious metadata that could be injected
curl -X POST -H "Authorization: Bearer <token>" -d '{"":"<script>alert('XSS')</script>My Video"}' https://opencast.example.org/api/events
<!-- How the unsanitized input might be rendered in the page -->
<div class="paella-player-">
<script>alert('XSS')</script>My Video
</div>
How Exploit:
Attacker with write access uploads a video and sets its or description to a malicious script. When a user views the video, the script executes in their browser, potentially hijacking their session.
Protection from this CVE
Upgrade to Opencast 17.8 or 18.2, which contain the necessary fixes for input sanitization.
Impact:
Malicious script execution, session hijacking for logged-in users viewing the compromised media.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
