12 matches found
CVE-2024-22209
Open edX Platform suffers an access-control vulnerability where a user with a JWT and limited scopes could call endpoints beyond their authorization. The issue concerns the XBlock custom auth not respecting JWT scopes, enabling elevation of privileges for certain API endpoints. Red Hat, NVD, and ...
CVE-2017-18380
CVE-2017-18380 affects edx-platform (pre-2017-08-03). The issue allows an attacker to trigger password-reset emails where the reset link uses an attacker-controlled domain name, enabling potential phishing or credential harvesting vectors. Documented impact: ability to cause user-facing reset mes...
CVE-2015-6960
CVE-2015-6960 affects edx-platform prior to 2015-09-17 and allows cross-site scripting via a team name. The connected records corroborate this XSS vulnerability; however, the provided documents do not specify affected versions beyond the date, root cause details, exploit steps, or remediation/pat...
CVE-2017-18381
CVE-2017-18381 concerns Open edX installations prior to 2017-01-10, where the installation process exposed a MongoDB instance to external connections using default credentials. This creates a risk of unauthorized access to the database. The connected Red Hat and other vulnerability records corrob...
CVE-2018-20859
CVE-2018-20859 affects the Open edX platform (edx-platform). It describes an XSS vulnerability: edx-platform before 2018-07-18 allows executing client-side code via a response to a Chemical Equation advanced problem. The root cause is lack of proper validation of client data in the web applicatio...
CVE-2015-6253
CVE-2015-6253 affects edx-platform prior to 2015-08-17 and enables Cross-Site Scripting in the Studio listing of courses. Exploitation details are not provided in the connected documents, and no remediation steps are specified here.
CVE-2021-39248
Open edX Open edX platform (Lilac.1) is affected by a cross-site scripting (XSS) vulnerability in common/static/common/js/discussion/utils.js triggered by crafted LaTeX content within a discussion. Root cause is improper handling/validation of LaTeX content in discussion posts, allowing injected ...
CVE-2015-5601
CVE-2015-5601 affects edx-platform prior to 2015-07-20. A vulnerable endpoint (course import) mishandles .tar.gz files, allowing code execution by privileged users. Documents provide CVSS details (2.0/6.5; 3.0/8.8) indicating impact on confidentiality, integrity, and availability (all high/partia...
CVE-2015-6671
Open edX edx-platform pre-2015-08-25 stores SAML SSO secrets in the database, enabling potential exposure of sensitive information via a database backup. The root cause is storage of SAML secrets in the database, which means that if a backup is accessed, context-dependent attackers may obtain sen...
CVE-2016-10765
CVE-2016-10765 affects edx-platform prior to 2016-06-10. The issue permits account activation using a spoofed email address, enabling potential unauthorized activation of user accounts. The provided documents do not specify exploitable vectors, affected versions beyond the date, or remediation/wo...
CVE-2015-2186
The CVE-2015-2186 entry concerns the Ansible edxapp role in the edX Configuration Repo. The vulnerability arises from using the string literal "False" instead of a boolean False for CORS_ORIGIN_ALLOW_ALL, enabling remote sites to spoof edX accounts. The issue affected the edX configuration but wa...
CVE-2016-10766
CVE-2016-10766 affects edx-platform prior to 2016-06-06 and is a cross-site request forgery (CSRF) vulnerability. According to the sources, the issue is a CSRF flaw in edx-platform before the specified date. CVSSv3.1 base score is 8.8 (HIGH) with NETWORK attack vector, LOW attack complexity, no p...