Vulnerabilities > CVE-2020-13144 - Missing Authorization vulnerability in EDX Open EDX Platform 2.5
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
id | EDB-ID:48500 |
last seen | 2020-05-21 |
modified | 2020-05-21 |
published | 2020-05-21 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/48500 |
title | OpenEDX platform Ironwood 2.5 - Remote Code Execution |
Packetstorm
data source | https://packetstormsecurity.com/files/download/157785/openedxironwood25-exec.txt |
id | PACKETSTORM:157785 |
last seen | 2020-05-22 |
published | 2020-05-20 |
reporter | Daniel Monzon |
source | https://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html |
title | OpenEDX Ironwood 2.5 Remote Code Execution |