Vulnerabilities > CVE-2020-13144 - Missing Authorization vulnerability in EDX Open EDX Platform 2.5
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
id | EDB-ID:48500 |
last seen | 2020-05-21 |
modified | 2020-05-21 |
published | 2020-05-21 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/48500 |
title | OpenEDX platform Ironwood 2.5 - Remote Code Execution |
Packetstorm
data source | https://packetstormsecurity.com/files/download/157785/openedxironwood25-exec.txt |
id | PACKETSTORM:157785 |
last seen | 2020-05-22 |
published | 2020-05-20 |
reporter | Daniel Monzon |
source | https://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html |
title | OpenEDX Ironwood 2.5 Remote Code Execution |
References
- http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html
- https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html
- https://stark0de.com/2020/05/17/openedx-vulnerabilities.html
- http://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html
- https://stark0de.com/2020/05/17/openedx-vulnerabilities.html
- https://edx.readthedocs.io/projects/edx-developer-guide/en/latest/architecture.html