Security Alert: Account Activation with Unverified Email

July 20, 2016 | By

Robert Raposa (edX)

Security Alert

Severity: Medium
Category: Email Verification Vulnerability
Affected Projects: edx-platform
Reporter: self-reported
Permanent URL:  

During an automated security audit of the edX platform code, we discovered a bug in the email verification and account activation process.  This bug allows a malicious user to activate an account with an unverified (invalid or someone else’s) email address.

Normally, an account is activated once a user verifies their email address. Activation enables the user to log in to LMS and to receive email from the platform.

We strongly advise you to patch your instances as soon as possible.

Patch for those tracking master closely:
https://github.com/edx/edx-platform/commit/95c0b50ebebf8e226fb832d0acb8a…

Patch for named-release dogwood:
https://github.com/edx/edx-platform/commit/9b1f89d19ad26625859f887b12931…

 

Loading

Resources

Time For More? Check out the articles below.

Open edX platform earns LTI® Advantage Certification
Juniper is here!
edX Sponsorship Demos
Cancelling the 2020 Open edX Conference
Join the Open edX Conference 2026!

The 2026 Open edX Conference will present innovative use cases for one of the world’s best open source online learning management systems, the Open edX platform, and discover the latest advancements in instructional design, course constellation, and methods for operating & extending the Open edX platform, including breakthrough technologies, such as generative AI.

Register Now