Cross Site Request Forgery Bug in edX LMS

June 10, 2016 | By

Ed Zarecor (edX)

Security Alert

Severity: High
Category: CSRF
Affected Projects: edx-platform
Reporter: self-reported
Permanent URL:

During a review of the edX platform code some side-effecting HTTP GET requests were discovered.  Such requests are generally undesirable and do not enforce Cross Site Request Forgery (CSRF) protection.  In one specific case users could potentially escalate their privileges via an attack against staff or super users.

More Information

This patch fixes an issue where a malicious user could lure an instructor to view a page that could in turn grant the malicious user additional privileges.

Although the platform is already using Django’s Cross-Site Request Forgery (CSRF) middleware protection, some endpoints with side effects were found to be using GET methods. The patch forces these endpoints to require POST, which also properly enables CSRF protection.

For more information, see:

https://docs.djangoproject.com/en/1.9/ref/csrf/

We strongly advise you to patch your instances as soon as possible.

Patch for those tracking master closely:
https://github.com/edx/edx-platform/commit/d54f79f5bf3e1af17063937df1abc…

Patch for named-release dogwood:
https://github.com/edx/edx-platform/commit/d929c1cd8ca11d801a03232f200c9…

Loading

Start the discussion at discuss.openedx.org

Resources

Time For More? Check out the articles below.

Open edX platform earns LTI® Advantage Certification
Juniper is here!
edX Sponsorship Demos
Cancelling the 2020 Open edX Conference
Join the Open edX Conference 2026!

The 2026 Open edX Conference will present innovative use cases for one of the world’s best open source online learning management systems, the Open edX platform, and discover the latest advancements in instructional design, course constellation, and methods for operating & extending the Open edX platform, including breakthrough technologies, such as generative AI.

Register Now