Vulnerabilities > CVE-2020-13146 - Improper Neutralization of Formula Elements in a CSV File vulnerability in EDX Open EDX Platform 2.5

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

edx

CWE-1236

NVD

Published: 2020-05-18

Updated: 2021-07-21

Summary

Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature.

Vulnerable Configurations

Part	Description	Count
Application	Edx EDX Open EDX Platform 2.5	1

Common Weakness Enumeration (CWE)

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

References

https://stark0de.com/2020/05/17/openedx-vulnerabilities.html