Vulnerabilities > CVE-2020-13144 - Missing Authorization vulnerability in EDX Open EDX Platform 2.5

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

edx

CWE-862

exploit available

NVD

Published: 2020-05-18

Updated: 2022-04-26

Summary

Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.

Vulnerable Configurations

Part	Description	Count
Application	Edx EDX Open EDX Platform 2.5	1

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Exploit-Db

id	EDB-ID:48500
last seen	2020-05-21
modified	2020-05-21
published	2020-05-21
reporter	Exploit-DB
source	https://www.exploit-db.com/download/48500
title	OpenEDX platform Ironwood 2.5 - Remote Code Execution

Packetstorm

data source	https://packetstormsecurity.com/files/download/157785/openedxironwood25-exec.txt
id	PACKETSTORM:157785
last seen	2020-05-22
published	2020-05-20
reporter	Daniel Monzon
source	https://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html
title	OpenEDX Ironwood 2.5 Remote Code Execution

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Packetstorm

References