CVE-2021-41733

Oppia 3.1.4 does not verify that certain URLs are valid before navigating to them.

CVE-2023-40021

Oppia is an online learning platform. When comparing a received CSRF token against the expected token, Oppia uses the string equality operator (==), which is not safe against timing attacks. By repeatedly submitting invalid tokens, an attacker can brute-force the expected CSRF token character by ch...