Opencast Paella Player Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Opencast Paella player, present in versions through 17.7, 18.0, and 18.1. The issue arises because user inputs, such as metadata including titles and descriptions, were rendered in the player without proper filtering or modification. This flaw allows attackers with write access to inject malicious HTML and JavaScript, which is executed in the browsers of users viewing the content. The injected scripts could be used to alter the site or perform actions on behalf of logged-in users.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser, potentially leading to unauthorized actions or site modifications.

Reproduction

To reproduce this vulnerability, upload a media file and include malicious metadata such as a title or description that contains harmful HTML or JavaScript. Once the media is processed, the injected scripts will execute in the browser of anyone viewing the content.

Remediation

Users can upgrade to Opencast versions 17.8 or 18.2 to address this vulnerability.