[CVE-2018-19900] Paella Player Vulnerable to Script Injection

[Lars Kiesow]

This is the official security notice regarding a security issue
recently discovered in Opencast 5.0 and 5.1.

Tracked as:

CVE-2018-19900

Description:

Insecure handling of metadata in the Paella Player and its
integration in Apereo Opencast 5.x until 5.2 may cause arbitrary
JavaScript execution.


Affects:

This issue affects Opencast 5.0 and Opencast 5.1 as well as the
development version of Opencast 6 until 2018-09-28 (until commit
4ea31f1).


Details:

   The Paella player integrated as optional player since Opencast 5.0
   would interpret most metadata displayed in the user interface as
   HTML and possibly JavaScript allowing attackers to potentially craft
   a malicious field (e.g. an event title) which included arbitrary code
   to be executed by visitors with their respective rights.


Patching the system:

   The issue is fixed in Opencast 5.2 and Opencast 6.0.

The issue has also been addressed upsteam:
https://github.com/polimediaupv/paella/commit/85a697e9971164e3918ea84415be26636781659f