CVE Alert: CVE-2025-54380
Vulnerability Summary: CVE-2025-54380
Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6.
Affected Endpoints:
No affected endpoints listed.
Published Date:
7/26/2025, 4:16:06 AM
⚠️ CVSS Score:
Exploit Status:
Not ExploitedEPS Score: 0.00022 | Ranking EPS: 0.04111
References:
- https://github.com/opencast/opencast/commit/e8980435342149375802648b9c9e696c9a5f0c9a
- https://github.com/opencast/opencast/security/advisories/GHSA-hcxx-mp6g-6gr9
- https://github.com/opencast/opencast/security/advisories/GHSA-j63h-hmgw-x4j7
Recommended Action:
No proposed action available. Please refer to vendor documentation for updates.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
