Security Alert

Severity: High
Category: XSS Targeting Admin Users
Affected Projects: edx-platform
Reporter: Internal Review
Permanent URL: https://open.edx.org/CVE-2015-6253

During routine internal testing, an XSS vulnerability in the Studio listing of courses was discovered.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-6253 to this issue. This is an entry on the CVE list (http://cve.mitre.org), which standardizes names for security problems.

More Information

Prior to this patch, course authors could create a course containing Javascript code in its name and have this code executed in a user’s browser.  Course titles are now escaped before displaying them to the user.

The bug was fixed in this commit.