Security Alert
| Severity: | High |
| Category: | XSS Targeting Admin Users |
| Affected Projects: | edx-platform |
| Reporter: | Internal Review |
| Permanent URL: | https://open.edx.org/CVE-2015-6253 |
During routine internal testing, an XSS vulnerability in the Studio listing of courses was discovered.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-6253 to this issue. This is an entry on the CVE list (http://cve.mitre.org), which standardizes names for security problems.
More Information
Prior to this patch, course authors could create a course containing Javascript code in its name and have this code executed in a user’s browser. Course titles are now escaped before displaying them to the user.
The bug was fixed in this commit.