Security Alert

Severity: Medium
Category: Email Verification Vulnerability
Affected Projects: edx-platform
Reporter: self-reported
Permanent URL:  

During an automated security audit of the edX platform code, we discovered a bug in the email verification and account activation process.  This bug allows a malicious user to activate an account with an unverified (invalid or someone else’s) email address.

Normally, an account is activated once a user verifies their email address. Activation enables the user to log in to LMS and to receive email from the platform.

We strongly advise you to patch your instances as soon as possible.

Patch for those tracking master closely:
https://github.com/edx/edx-platform/commit/95c0b50ebebf8e226fb832d0acb8a…

Patch for named-release dogwood:
https://github.com/edx/edx-platform/commit/9b1f89d19ad26625859f887b12931…