Security Alert: XSS Vulnerability in Teams Feature

September 17, 2015 | By

Ed Zarecor (edX)

Security Alert

Severity: High
Category: XSS
Affected Projects: edx-platform
Reporter: self-reported
Permanent URL: https://openedx.org/CVE-2015-6960

During an internal code-review of the edx-platform code it was discovered that a bug allowed user submitted content to contain JavaScript that would execute in an end-user’s browswer.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2015-6960 to this issue. This is an entry on the CVE list (http://cve.mitre.org), which standardizes names for security problems.

More Information

This bug made it possible for an end user to create a team containing JavaScript code in its name and have this code executed in another user’s browser. 

The fix is to correctly escape Javascript in team names before displaying them on the page.

The bug was fixed in this commit.

Loading

Resources

Time For More? Check out the articles below.

Open edX platform earns LTI® Advantage Certification
Juniper is here!
edX Sponsorship Demos
Cancelling the 2020 Open edX Conference
Join the Open edX Conference 2026!

The 2026 Open edX Conference will present innovative use cases for one of the world’s best open source online learning management systems, the Open edX platform, and discover the latest advancements in instructional design, course constellation, and methods for operating & extending the Open edX platform, including breakthrough technologies, such as generative AI.

Register Now