Security Alert

Severity: High
Category: XSS Targeting Admin Users
Affected Projects: edx-platform
Reporter: Internal Review
Permanent URL:

During routine internal testing, an XSS vulnerability in the Studio listing of courses was discovered.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-6253 to this issue. This is an entry on the CVE list (, which standardizes names for security problems.

More Information

Prior to this patch, course authors could create a course containing Javascript code in its name and have this code executed in a user’s browser.  Course titles are now escaped before displaying them to the user.

The bug was fixed in this commit.

 769 total views