Vulnerabilities > CVE-2020-13144 - Missing Authorization vulnerability in EDX Open EDX Platform 2.5

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
edx
CWE-862
exploit available

Summary

Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.

Vulnerable Configurations

Part Description Count
Application
Edx
1

Common Weakness Enumeration (CWE)

Exploit-Db

idEDB-ID:48500
last seen2020-05-21
modified2020-05-21
published2020-05-21
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/48500
titleOpenEDX platform Ironwood 2.5 - Remote Code Execution

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/157785/openedxironwood25-exec.txt
idPACKETSTORM:157785
last seen2020-05-22
published2020-05-20
reporterDaniel Monzon
sourcehttps://packetstormsecurity.com/files/157785/OpenEDX-Ironwood-2.5-Remote-Code-Execution.html
titleOpenEDX Ironwood 2.5 Remote Code Execution