Security Alert: Studio course listing XSS

August 18, 2015 | By

Kevin Falcone (edX)

Security Alert

Severity: High
Category: XSS Targeting Admin Users
Affected Projects: edx-platform
Reporter: Internal Review
Permanent URL: https://openedx.org/CVE-2015-6253

During routine internal testing, an XSS vulnerability in the Studio listing of courses was discovered.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-6253 to this issue. This is an entry on the CVE list (http://cve.mitre.org), which standardizes names for security problems.

More Information

Prior to this patch, course authors could create a course containing Javascript code in its name and have this code executed in a user’s browser.  Course titles are now escaped before displaying them to the user.

The bug was fixed in this commit.

Loading

Start the discussion at discuss.openedx.org

Resources

Time For More? Check out the articles below.

Open edX platform earns LTI® Advantage Certification
Juniper is here!
edX Sponsorship Demos
Cancelling the 2020 Open edX Conference
Join the Open edX Conference 2026!

The 2026 Open edX Conference will present innovative use cases for one of the world’s best open source online learning management systems, the Open edX platform, and discover the latest advancements in instructional design, course constellation, and methods for operating & extending the Open edX platform, including breakthrough technologies, such as generative AI.

Register Now