You are here

Announcements

  • December 12, 2017
    In the past, we have announced security fixes for Open edX here.  From now, we are streamlining the communications, and putting public security fix announcements only on the Open edX Announcements mailing list.  If you have any concerns about this change, please contact [email protected]  
  • July 20, 2016
    Security Alert Severity: Medium Category: Email Verification Vulnerability Affected Projects: edx-platform Reporter: self-reported Permanent URL:   During an automated security audit of the edX platform code, we discovered a bug in the email verification and account activation process.  This bug allows a malicious user to activate an account with an unverified (invalid or someone else’s)...
  • June 10, 2016
    Security Alert Severity: High Category: CSRF Affected Projects: edx-platform Reporter: self-reported Permanent URL:   During a review of the edX platform code some side-effecting HTTP GET requests were discovered.  Such requests are generally undesirable and do not enforce Cross Site Request Forgery (CSRF) protection.  In one specific case users could potentially escalate their...
  • September 17, 2015
    Security Alert Severity: High Category: XSS Affected Projects: edx-platform Reporter: self-reported Permanent URL: https://open.edx.org/CVE-2015-6960 During an internal code-review of the edx-platform code it was discovered that a bug allowed user submitted content to contain JavaScript that would execute in an end-user's browswer. The Common Vulnerabilities and Exposures (CVE) project has assigned...
  • August 25, 2015
    Security Alert Severity: Medium Category: Internal Data Exposure Affected Projects: edx-platform Reporter: Internal Review Permanent URL: https://open.edx.org/CVE-2015-6671 During internal review, we discovered that instances using SAML for single sign on store secrets in the database. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-6671 to this issue....
  • August 18, 2015
    Security Alert Severity: High Category: XSS Targeting Admin Users Affected Projects: edx-platform Reporter: Internal Review Permanent URL: https://open.edx.org/CVE-2015-6253 During routine internal testing, an XSS vulnerability in the Studio listing of courses was discovered. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-6253 to this issue. This is an...
  • July 27, 2015
    Security Alert Severity: High Category: Arbitrary Code Execution by Privileged Users Affected Projects: edx-platform Reporter: Third-party Security Auditor Permanent URL: https://open.edx.org/CVE-2015-5601 During a scheduled, third-party security audit of the edx-platform code it was discovered that a bug allowed certain categories of privileged users to execute arbitrary code as the user of the...
  • March 12, 2015
    Security Alert Severity: High Category: Cross Domain Referer Leakage Affected Projects: edx-platform Reporter: Smit B. Shah & Nikhil Srivastava from Techdefence Labs Permanent URL: https://open.edx.org/CVE-2015-2286 On January 11, 2015 a security vulnerability was reported by Smit B. Shah and Nikhil Srivastava that caused password reset tokens to be forwarded to third-party social networks in the...
  • March 9, 2015
    Security Alert Severity: Critical Category: Configuration Affected Projects: configuration, edx-platform Reporter: edX Permanent URL: https://open.edx.org/CVE-2015-2186 On March 6, 2015, we discovered and resolved a bug in the Ansible edxapp role that could allow different websites to impersonate edX accounts (though we're not aware that any such activity has occurred). The bug was...