Security Alert
Severity: | High |
Category: | XSS Targeting Admin Users |
Affected Projects: | edx-platform |
Reporter: | Internal Review |
Permanent URL: | https://open.edx.org/CVE-2015-6253 |
During routine internal testing, an XSS vulnerability in the Studio listing of courses was discovered.
The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-6253 to this issue. This is an entry on the CVE list (http://cve.mitre.org), which standardizes names for security problems.
More Information
Prior to this patch, course authors could create a course containing Javascript code in its name and have this code executed in a user’s browser. Course titles are now escaped before displaying them to the user.
The bug was fixed in this commit.