Opencast Video Publishing Workflow Oversight Vulnerability

A vulnerability exists in Opencast versions prior to 17.8 and 18.2, where the editor may unintentionally publish videos without user awareness. This issue can lead to the accidental release of internal media. The vulnerability affects users with write access to an event who use the editor to manage publications. The problem arises after clicking 'Save & Publish' followed by 'Save', which can trigger an unintentional publication workflow. Although the likelihood of this occurring is low, it remains a possibility.

Impact

The vulnerability can cause internal media to be published accidentally, potentially leading to unauthorized exposure of sensitive content.

Reproduction

To reproduce this issue, open the Opencast editor and make changes such as editing metadata or generating a thumbnail. After clicking 'Finish' and then 'Save and process changes', return to the editor and select 'Save changes'. Confirm the save, then reload the page. The editor will indicate that the event is being processed, but it will have already initiated the publication workflow, despite the user's intention to delay publishing.

Remediation

Users can update to Opencast versions 17.8 or 18.2 to address this vulnerability.