High severity8.8NVD Advisory· Published Nov 17, 2017· Updated May 13, 2026
CVE-2017-1000217
CVE-2017-1000217
Description
Opencast 2.3.2 and older versions are vulnerable to script injections through media and metadata in the player and media module resulting in arbitrary code execution, fixed in 2.3.3 and 3.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opencastproject:baseMaven | < 2.3.3 | 2.3.3 |
Affected products
1Patches
2fba2f35df24cMH-12190, Prevent Script Injection In Media Module
2 files changed · +39 −39
modules/matterhorn-engage-ui/src/main/resources/ui/js/app/engage-ui.js+14 −14 modified@@ -615,14 +615,14 @@ function($, bootbox, _, alertify) { var seriesClass = ""; if (data.mediapackage) { - seriesClass = "series" + data.mediapackage.series + " "; + seriesClass = "series" + _.escape(data.mediapackage.series) + " "; } var tile = mediaContainer + "<a class=\"tile\" id=\"" + serID + "\" role=\"menuitem\" tabindex=\"" + tabIndexNumber++ + "\">" + "<div class=\"" + seriesClass + "seriesindicator \"/> " + "<div class=\"tilecontent\">"; - tile = tile + "<h4 class=\"title\">" + data.dcTitle + "</h4>"; + tile = tile + "<h4 class=\"title\">" + _.escape(data.dcTitle) + "</h4>"; // append thumbnail var thumb = ""; @@ -653,12 +653,12 @@ function($, bootbox, _, alertify) { tile = tile + "<div class=\"infos\">"; if (data.dcCreator) { - creator = data.dcCreator; + creator = _.escape(data.dcCreator); }; tile = tile + "<div class=\"creator\">" + creator + "</div>"; if (data.mediapackage.seriestitle) { - seriestitle = data.mediapackage.seriestitle; + seriestitle = _.escape(data.mediapackage.seriestitle); }; tile = tile + "<div class=\"seriestitle\">" + seriestitle + "</div>"; @@ -690,11 +690,11 @@ function($, bootbox, _, alertify) { $($main_container).append(tile); - $("#" + data["id"]).attr("href", playerEndpoint + "?id=" + data["id"]); + $("#" + _.escape(data["id"])).attr("href", playerEndpoint + "?id=" + _.escape(data["id"])); - $("#" + data["id"]).on("keypress", function(ev) { + $("#" + _.escape(data["id"])).on("keypress", function(ev) { if (ev.which == 13 || ev.which == 32) { - $(location).attr("href", playerEndpoint + "?id=" + data["id"]); + $(location).attr("href", playerEndpoint + "?id=" + _.escape(data["id"])); } }); @@ -717,34 +717,34 @@ function($, bootbox, _, alertify) { function createSeriesGrid(data) { log("build series grid"); if (data && data.id) { - var seriesClass = "series" + data.id + " "; + var seriesClass = "series" + _.escape(data.id) + " "; var color = generateSeriesColor(data.id); var creator = "<br>"; var contributor = "<br>"; - var tile = mediaContainer + "<a class=\"tile\" id=\"" + data.id + "\" role=\"menuitem\" tabindex=\"" + tabIndexNumber++ + "\"> " + + var tile = mediaContainer + "<a class=\"tile\" id=\"" + _.escape(data.id) + "\" role=\"menuitem\" tabindex=\"" + tabIndexNumber++ + "\"> " + "<div class=\"" + seriesClass + "seriesindicator \"/> " + "<div class=\"tilecontent\">"; - tile = tile + "<h4 class=\"title\">" + (data.dcTitle ? data.dcTitle : "Unknown title") + "</h4>"; + tile = tile + "<h4 class=\"title\">" + (data.dcTitle ? _.escape(data.dcTitle) : "Unknown title") + "</h4>"; if (data.dcCreator) { - creator = data.dcCreator; + creator = _.escape(data.dcCreator); }; tile = tile + "<div class=\"creator\">" + creator + "</div>"; if (data.dcContributor) { - contributor = data.dcContributor; + contributor = _.escape(data.dcContributor); }; tile = tile + "<div class=\"contributor\">" + contributor + "</div>"; tile = tile + "</div></div></a>"; $($main_container).append(tile); - $("#" + data.id).attr("href", "?e=1&p=1&epFrom=" + data.id); + $("#" + _.escape(data.id)).attr("href", "?e=1&p=1&epFrom=" + _.escape(data.id)); - $("#" + data.id).on("keypress", function(ev) { + $("#" + _.escape(data.id)).on("keypress", function(ev) { log("keypress") if (ev.which == 13 || ev.which == 32) { restData = "sid=" + data.id;
modules/matterhorn-engage-ui/src/main/resources/ui/template/desktop.html+25 −25 modified@@ -17,10 +17,10 @@ <h1 class="navbar-brand">Media Module</h1> <div class="collapse navbar-collapse"> <ul class="nav navbar-nav" id="nav-switch" role="menu"> <li id="navbarEpisodes" data-search="episodes"> - <a href="?e=1&p=1" role="menuitem" tabindex="1"><%= episodes %></a> + <a href="?e=1&p=1" role="menuitem" tabindex="1"><%- episodes %></a> </li> <li id="navbarSeries" data-search="series"> - <a href="?s=1&p=1" role="menuitem" tabindex="2"><%= series %></a> + <a href="?s=1&p=1" role="menuitem" tabindex="2"><%- series %></a> </li> </ul> <ul class="navbar-form navbar-right" id="nav-dropdownLoginLogout"> @@ -48,118 +48,118 @@ <h1 class="navbar-brand">Media Module</h1> </div> <button id="oc-search-btn" type="submit" class="btn btn-default" tabindex="5" formenctype="multipart/form-data"> - <%= search %> + <%- search %> </button> <div class="btn-group"> <button id="buttonSorting" class="btn btn-default dropdown-toggle" type="button" data-toggle="dropdown" class="btn btn-default dropdown-toggle" aria-label="Sorting" tabindex="4"> - <%= sort %> + <%- sort %> <span class="caret"></span> </button> <ul id="dropdownMenuSorting" class="dropdown-menu" role="menu" tabindex="-1"> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="DATE_CREATED_DESC" value="DATE_CREATED_DESC"> <label for="DATE_CREATED_DESC"> - <%= recording_date_new %> + <%- recording_date_new %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="DATE_CREATED" value="DATE_CREATED"> <label for="DATE_CREATED"> - <%= recording_date_old %> + <%- recording_date_old %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="DATE_PUBLISHED_DESC" value="DATE_PUBLISHED_DESC"> <label for="DATE_PUBLISHED_DESC"> - <%= publishing_date_new %> + <%- publishing_date_new %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="DATE_PUBLISHED" value="DATE_PUBLISHED"> <label for="DATE_PUBLISHED"> - <%= publishing_date_old %> + <%- publishing_date_old %> </label> </li> <li role="presentation" class="divider"></li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="TITLE" value="TITLE"> <label for="TITLE"> - <%= title_a_z %> + <%- title_a_z %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="TITLE_DESC" value="TITLE_DESC"> <label for="TITLE_DESC"> - <%= title_z_a %> + <%- title_z_a %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="CREATOR" value="CREATOR"> <label for="CREATOR"> - <%= author_a_z %> + <%- author_a_z %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="CREATOR_DESC" value="CREATOR_DESC"> <label for="CREATOR_DESC"> - <%= author_z_a %> + <%- author_z_a %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="CONTRIBUTOR" value="CONTRIBUTOR"> <label for="CONTRIBUTOR"> - <%= contributor_a_z %> + <%- contributor_a_z %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="CONTRIBUTOR_DESC" value="CONTRIBUTOR_DESC"> <label for="CONTRIBUTOR_DESC"> - <%= contributor_z_a %> + <%- contributor_z_a %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="PUBLISHER" value="PUBLISHER"> <label for="PUBLISHER"> - <%= publisher_a_z %> + <%- publisher_a_z %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="PUBLISHER_DESC" value="PUBLISHER_DESC"> <label for="PUBLISHER_DESC"> - <%= publisher_z_a %> + <%- publisher_z_a %> </label> </li> <li role="presentation" class="divider"></li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="SERIES_ID" value="SERIES_ID"> <label for="SERIES_ID"> - <%= series %> + <%- series %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="LANGUAGE" value="LANGUAGE"> <label for="LANGUAGE"> - <%= language %> + <%- language %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="LICENSE" value="LICENSE"> <label for="LICENSE"> - <%= license %> + <%- license %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="SUBJECT" value="SUBJECT"> <label for="SUBJECT"> - <%= subject %> + <%- subject %> </label> </li> <li role="presentation"> <input type="radio" class="oc-sort-dropdown" name="sort" id="DESCRIPTION" value="DESCRIPTION"> <label for="DESCRIPTION"> - <%= description %> + <%- description %> </label> </li> </ul> @@ -173,10 +173,10 @@ <h1 class="navbar-brand">Media Module</h1> <div class="container-fluid" id="main-container" role="menu"></div> </div> <ul class="pager" role="menu"> - <li class="first previous"><a id="firstPage" role="menuitem" tabindex="10" >⇤ <%= first %></a></li> - <li class="previous"><a id="prevPage" role="menuitem" tabindex="9" >← <%= prev %></a></li> - <li class="last next"><a id="lastPage" role="menuitem" tabindex="8" ><%= last %> ⇥</a></li> - <li class="next"><a id="nextPage" role="menuitem" tabindex="7" ><%= next %> →</a></li> + <li class="first previous"><a id="firstPage" role="menuitem" tabindex="10" >⇤ <%- first %></a></li> + <li class="previous"><a id="prevPage" role="menuitem" tabindex="9" >← <%- prev %></a></li> + <li class="last next"><a id="lastPage" role="menuitem" tabindex="8" ><%- last %> ⇥</a></li> + <li class="next"><a id="nextPage" role="menuitem" tabindex="7" ><%- next %> →</a></li> </ul> <div id="more" class="scroll-indicator">Loading More Content</div> <div id="no-more" class="scroll-indicator">No More Content</div>
2d42e42f3cfcMH-12190, Prevent Script Injection In Player
4 files changed · +36 −34
modules/matterhorn-engage-theodul-plugin-description/src/main/resources/static/templates/desktop.html+4 −3 modified@@ -4,17 +4,18 @@ && (typeof str_date !== "undefined")) { %> <div id="engage_basic_description"> <% if(typeof title !== "undefined" ){ %> - <div id="engage_basic_description_title" aria-label="<%= str_videoTitle %>: <%= title %>"><%= title %></div> + <div id="engage_basic_description_title" aria-label="<%- str_videoTitle %>: <%- title %>"><%- title %></div> <% } %> <div id="engage_basic_description_info"> <% if(typeof creator !== "undefined" ){ %> - <div id="engage_basic_description_creator" class="engage_basic_description_wrap" aria-label="<%= str_creator %>: <%= creator %>"><%= creator %></div> + <div id="engage_basic_description_creator" class="engage_basic_description_wrap" + aria-label="<%- str_creator %>: <%- creator %>"><%- creator %></div> <% } %> <% if((typeof creator !== "undefined" ) && (typeof date !== "undefined" ) && (creator !== "")) { %> <div class="engage_basic_description_wrap">, </div> <% } %> <% if(typeof date !== "undefined" ){ %> - <div id="engage_basic_description_date" aria-label="<%= str_date %>: <%= date %>"><%= date %></div> + <div id="engage_basic_description_date" aria-label="<%- str_date %>: <%- date %>"><%- date %></div> <% } %> </div> </div>
modules/matterhorn-engage-theodul-plugin-description/src/main/resources/static/templates/mobile.html+5 −4 modified@@ -4,18 +4,19 @@ && (typeof str_date !== "undefined")) { %> <div id="engage_basic_description"> <% if(typeof title !== "undefined" ){ %> - <div id="engage_basic_description_title" aria-label="<%= str_videoTitle %>: <%= title %>"><%= title %></div> + <div id="engage_basic_description_title" aria-label="<%- str_videoTitle %>: <%- title %>"><%- title %></div> <% } %> <div id="engage_basic_description_info"> <% if((typeof creator !== "undefined") && (creator !== "")){ %> - <div id="engage_basic_description_creator" class="engage_basic_description_wrap" aria-label="<%= str_creator %>: <%= creator %>"><%= creator %></div> + <div id="engage_basic_description_creator" class="engage_basic_description_wrap" + aria-label="<%- str_creator %>: <%- creator %>"><%- creator %></div> <% } %> <% if((typeof creator !== "undefined" ) && (typeof date !== "undefined" ) && (creator !== "")) { %> <div class="engage_basic_description_wrap">, </div> <% } %> <% if(typeof date !== "undefined" ){ %> - <div id="engage_basic_description_date" aria-label="<%= str_date %>: <%= date %>"><%= date %></div> + <div id="engage_basic_description_date" aria-label="<%- str_date %>: <%- date %>"><%- date %></div> <% } %> </div> </div> -<% } %> \ No newline at end of file +<% } %>
modules/matterhorn-engage-theodul-plugin-tab-description/src/main/resources/static/templates/desktop.html+21 −21 modified@@ -10,77 +10,77 @@ && (typeof str_noDescriptionAvailable !== "undefined")) { %> <!-- theodul tab description plugin desktop mode --> <div id="engage_description_tab_content"> - <% if(typeof description !== "undefined" - && typeof title !== "undefined" - && typeof creator !== "undefined" - && typeof series !== "undefined" - && typeof contributor !== "undefined" + <% if(typeof description !== "undefined" + && typeof title !== "undefined" + && typeof creator !== "undefined" + && typeof series !== "undefined" + && typeof contributor !== "undefined" && typeof date !== "undefined") { %> <div class="descriptionTabLeft"> <div class="description-item"> - <p class="description-item-header"><%= str_title %></p> + <p class="description-item-header"><%- str_title %></p> <p class="description-item-body"> <% if(title != "") { %> - <%= title %> + <%- title %> <% } else { %> - <p><%= str_noTitle %></p> + <p><%- str_noTitle %></p> <% } %> </p> </div> <% if(creator != "") { %> <div class="description-item"> - <p class="description-item-header"><%= str_creator %></p> + <p class="description-item-header"><%- str_creator %></p> <p class="description-item-body"> - <%= creator %> + <%- creator %> </p> </div> <% } %> <% if(contributor != "") { %> <div class="description-item"> - <p class="description-item-header"><%= str_contributor %></p> + <p class="description-item-header"><%- str_contributor %></p> <p class="description-item-body"> - <%= contributor %> + <%- contributor %> </p> </div> <% } %> <% if(views != "") { %> <div class="description-item"> - <p class="description-item-header"><%= str_views %></p> + <p class="description-item-header"><%- str_views %></p> <p class="description-item-body"> - <%= views %> + <%- views %> </p> </div> <% } %> </div> <div class="descriptionTabRight"> <% if(series != "") { %> <div class="description-item "> - <p class="description-item-header"><%= str_series %></p> + <p class="description-item-header"><%- str_series %></p> <p class="description-item-body"> - <%= series %> + <%- series %> </p> </div> <% } %> <% if(date != "") { %> <div class="description-item"> - <p class="description-item-header"><%= str_recordingDate %></p> + <p class="description-item-header"><%- str_recordingDate %></p> <p class="description-item-body"> - <%= date %> + <%- date %> </p> </div> <% } %> <% if(description != "") { %> <div class="description-item"> - <p class="description-item-header"><%= str_description %></p> + <p class="description-item-header"><%- str_description %></p> <p class="description-item-body"> - <%= description %> + <%- description %> </p> </div> <% } %> </div> <div class="clear"></div> <% } else { %> - <%= str_noDescriptionAvailable %> + <%- str_noDescriptionAvailable %> <% } %> </div> <% } %>
modules/matterhorn-engage-theodul-plugin-tab-slidetext/src/main/resources/static/templates/desktop.html+6 −6 modified@@ -4,25 +4,25 @@ <div id="engage_slidetext_tab_content"> <% if((typeof segments !== "undefined") && (segments.length > 0)) { var i = 0; %> <% _.each(segments, function(segment) { %> - <div class="media mediaColor" id="tab_slidetext_segment_<%= i %>"> - <img class="media-object pull-left" src="<%= segment.image_url %>" alt="<%= str_segment %> <%= i %>" /> + <div class="media mediaColor" id="tab_slidetext_segment_<%- i %>"> + <img class="media-object pull-left" src="<%- segment.image_url %>" alt="<%- str_segment %> <%- i %>" /> <div class="media-body"> <div class="media-heading"> - <%= str_segment %> <%= i + 1 %> + <%- str_segment %> <%= i + 1 %> </div> <div class="media-time"> - <%= segment.humanReadableTime %> + <%- segment.humanReadableTime %> </div> <div class="media-text"> <% if((segment.text !== "undefined") && (segment.text != "")) { %> - <%= segment.text %> + <%- segment.text %> <% } %> </div> </div> </div> <% ++i; }); %> <% } else { %> - <p><%= str_noSlidesAvailable %></p> + <p><%- str_noSlidesAvailable %></p> <% } %> </div> <% } %>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-qwfv-5jwj-582hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000217ghsaADVISORY
- github.com/opencast/opencast/commit/2d42e42f3cfcff3a775a2538f735fca8542ce1fcghsaWEB
- github.com/opencast/opencast/commit/fba2f35df24ce2aeaff627200065cbade9b3a0cdghsaWEB
- groups.google.com/a/opencast.org/forum/ghsaWEB
- groups.google.com/a/opencast.org/forum/nvd
News mentions
0No linked articles in our index yet.