Search criteria
9 vulnerabilities found for open_edx_platform by edx
FKIE_CVE-2020-13144
Vulnerability from fkie_nvd - Published: 2020-05-18 19:15 - Updated: 2024-11-21 05:00
Severity ?
Summary
Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html | Vendor Advisory | |
| cve@mitre.org | https://stark0de.com/2020/05/17/openedx-vulnerabilities.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://stark0de.com/2020/05/17/openedx-vulnerabilities.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| edx | open_edx_platform | 2.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:edx:open_edx_platform:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "03FDDDF8-7A59-44CC-826E-AE58235F5836",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the \"Create New course\u003eNew section\u003eNew subsection\u003eNew unit\u003eAdd new component\u003eProblem button\u003eAdvanced tab\u003eCustom Python evaluated code\" screen, edit the problem, and execute Python code. This leads to arbitrary code execution."
},
{
"lang": "es",
"value": "Studio en Open edX Ironwood versi\u00f3n 2.5, cuando CodeJail no es usado, permite a un usuario ir a la pantalla \"Create New course)New section)New subsection)New unit)Add new component)Problem button)Advanced tab)Custom Python evaluated code\", editar el problema y ejecutar c\u00f3digo Python. Esto conlleva a una ejecuci\u00f3n de c\u00f3digo arbitraria."
}
],
"id": "CVE-2020-13144",
"lastModified": "2024-11-21T05:00:44.377",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-18T19:15:11.480",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
},
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-13146
Vulnerability from fkie_nvd - Published: 2020-05-18 19:15 - Updated: 2024-11-21 05:00
Severity ?
Summary
Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://stark0de.com/2020/05/17/openedx-vulnerabilities.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://stark0de.com/2020/05/17/openedx-vulnerabilities.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| edx | open_edx_platform | 2.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:edx:open_edx_platform:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "03FDDDF8-7A59-44CC-826E-AE58235F5836",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course\u003eInstructor\u003eCohorts may contain a formula that is exported via the \"Course\u003eData Downloads\u003eReports\u003eDownload profile info\" feature."
},
{
"lang": "es",
"value": "Studio en Open edX Ironwood versi\u00f3n 2.5, permite una inyecci\u00f3n de CSV porque una cohorte a\u00f1adida en Course)Instructor)Cohorts puede contener una f\u00f3rmula que es exportada por medio de la funcionalidad \"Course)Data Downloads)Reports)Download profile info\"."
}
],
"id": "CVE-2020-13146",
"lastModified": "2024-11-21T05:00:44.663",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-18T19:15:11.637",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1236"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-13145
Vulnerability from fkie_nvd - Published: 2020-05-18 19:15 - Updated: 2024-11-21 05:00
Severity ?
Summary
Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the "Content>File Uploads" screen. These files can contain JavaScript code and thus lead to Stored XSS.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://stark0de.com/2020/05/17/openedx-vulnerabilities.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://stark0de.com/2020/05/17/openedx-vulnerabilities.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| edx | open_edx_platform | 2.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:edx:open_edx_platform:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "03FDDDF8-7A59-44CC-826E-AE58235F5836",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the \"Content\u003eFile Uploads\" screen. These files can contain JavaScript code and thus lead to Stored XSS."
},
{
"lang": "es",
"value": "Studio en Open edX Ironwood versi\u00f3n 2.5, permite a usuarios cargar archivos SVG por medio de la pantalla \"Content)File Uploads\". Estos archivos pueden contener c\u00f3digo JavaScript y por lo tanto conllevar a un ataque de tipo XSS Almacenado."
}
],
"id": "CVE-2020-13145",
"lastModified": "2024-11-21T05:00:44.520",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-05-18T19:15:11.543",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-13145 (GCVE-0-2020-13145)
Vulnerability from cvelistv5 – Published: 2020-05-18 18:24 – Updated: 2024-08-04 12:11
VLAI?
Summary
Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the "Content>File Uploads" screen. These files can contain JavaScript code and thus lead to Stored XSS.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:11:19.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the \"Content\u003eFile Uploads\" screen. These files can contain JavaScript code and thus lead to Stored XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-18T18:24:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13145",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the \"Content\u003eFile Uploads\" screen. These files can contain JavaScript code and thus lead to Stored XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html",
"refsource": "MISC",
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13145",
"datePublished": "2020-05-18T18:24:25",
"dateReserved": "2020-05-18T00:00:00",
"dateUpdated": "2024-08-04T12:11:19.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13146 (GCVE-0-2020-13146)
Vulnerability from cvelistv5 – Published: 2020-05-18 18:24 – Updated: 2024-08-04 12:11
VLAI?
Summary
Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:11:19.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course\u003eInstructor\u003eCohorts may contain a formula that is exported via the \"Course\u003eData Downloads\u003eReports\u003eDownload profile info\" feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-18T18:24:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course\u003eInstructor\u003eCohorts may contain a formula that is exported via the \"Course\u003eData Downloads\u003eReports\u003eDownload profile info\" feature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html",
"refsource": "MISC",
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13146",
"datePublished": "2020-05-18T18:24:10",
"dateReserved": "2020-05-18T00:00:00",
"dateUpdated": "2024-08-04T12:11:19.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13144 (GCVE-0-2020-13144)
Vulnerability from cvelistv5 – Published: 2020-05-18 18:23 – Updated: 2024-08-04 12:11
VLAI?
Summary
Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:11:19.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the \"Create New course\u003eNew section\u003eNew subsection\u003eNew unit\u003eAdd new component\u003eProblem button\u003eAdvanced tab\u003eCustom Python evaluated code\" screen, edit the problem, and execute Python code. This leads to arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-21T17:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13144",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the \"Create New course\u003eNew section\u003eNew subsection\u003eNew unit\u003eAdd new component\u003eProblem button\u003eAdvanced tab\u003eCustom Python evaluated code\" screen, edit the problem, and execute Python code. This leads to arbitrary code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html",
"refsource": "MISC",
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
},
{
"name": "https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html",
"refsource": "MISC",
"url": "https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html"
},
{
"name": "http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13144",
"datePublished": "2020-05-18T18:23:55",
"dateReserved": "2020-05-18T00:00:00",
"dateUpdated": "2024-08-04T12:11:19.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13145 (GCVE-0-2020-13145)
Vulnerability from nvd – Published: 2020-05-18 18:24 – Updated: 2024-08-04 12:11
VLAI?
Summary
Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the "Content>File Uploads" screen. These files can contain JavaScript code and thus lead to Stored XSS.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:11:19.043Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the \"Content\u003eFile Uploads\" screen. These files can contain JavaScript code and thus lead to Stored XSS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-18T18:24:25",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13145",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the \"Content\u003eFile Uploads\" screen. These files can contain JavaScript code and thus lead to Stored XSS."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html",
"refsource": "MISC",
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13145",
"datePublished": "2020-05-18T18:24:25",
"dateReserved": "2020-05-18T00:00:00",
"dateUpdated": "2024-08-04T12:11:19.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13146 (GCVE-0-2020-13146)
Vulnerability from nvd – Published: 2020-05-18 18:24 – Updated: 2024-08-04 12:11
VLAI?
Summary
Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:11:19.090Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course\u003eInstructor\u003eCohorts may contain a formula that is exported via the \"Course\u003eData Downloads\u003eReports\u003eDownload profile info\" feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-18T18:24:10",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13146",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course\u003eInstructor\u003eCohorts may contain a formula that is exported via the \"Course\u003eData Downloads\u003eReports\u003eDownload profile info\" feature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html",
"refsource": "MISC",
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13146",
"datePublished": "2020-05-18T18:24:10",
"dateReserved": "2020-05-18T00:00:00",
"dateUpdated": "2024-08-04T12:11:19.090Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-13144 (GCVE-0-2020-13144)
Vulnerability from nvd – Published: 2020-05-18 18:23 – Updated: 2024-08-04 12:11
VLAI?
Summary
Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T12:11:19.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the \"Create New course\u003eNew section\u003eNew subsection\u003eNew unit\u003eAdd new component\u003eProblem button\u003eAdvanced tab\u003eCustom Python evaluated code\" screen, edit the problem, and execute Python code. This leads to arbitrary code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-05-21T17:06:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-13144",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the \"Create New course\u003eNew section\u003eNew subsection\u003eNew unit\u003eAdd new component\u003eProblem button\u003eAdvanced tab\u003eCustom Python evaluated code\" screen, edit the problem, and execute Python code. This leads to arbitrary code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html",
"refsource": "MISC",
"url": "https://stark0de.com/2020/05/17/openedx-vulnerabilities.html"
},
{
"name": "https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html",
"refsource": "MISC",
"url": "https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html"
},
{
"name": "http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-13144",
"datePublished": "2020-05-18T18:23:55",
"dateReserved": "2020-05-18T00:00:00",
"dateUpdated": "2024-08-04T12:11:19.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}