Vulnerabilities > EDX

DATE CVE VULNERABILITY TITLE RISK
2021-08-17 CVE-2021-39248 Cross-site Scripting vulnerability in EDX Edx-Platform
Open edX through Lilac.1 allows XSS in common/static/common/js/discussion/utils.js via crafted LaTeX content within a discussion.
network
edx CWE-79
4.3
2020-05-18 CVE-2020-13144 Improper Input Validation vulnerability in EDX Open EDX Platform 2.5
Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code.
network
low complexity
edx CWE-20
6.5
2020-05-18 CVE-2020-13145 Cross-site Scripting vulnerability in EDX Open EDX Platform 2.5
Studio in Open edX Ironwood 2.5 allows users to upload SVG files via the "Content>File Uploads" screen.
network
edx CWE-79
3.5
2020-05-18 CVE-2020-13146 Injection vulnerability in EDX Open EDX Platform 2.5
Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature.
network
edx CWE-74
6.8
2020-03-19 CVE-2019-20513 Cross-site Scripting vulnerability in EDX Open EDX 20190315
Open edX Ironwood.1 allows support/certificates?user= reflected XSS.
network
edx CWE-79
4.3
2019-08-09 CVE-2018-20858 Cross-site Scripting vulnerability in EDX Recommender
Recommender before 2018-07-18 allows XSS.
network
edx CWE-79
4.3
2019-07-30 CVE-2017-18381 7PK - Security Features vulnerability in multiple products
The installation process in Open edX before 2017-01-10 exposes a MongoDB instance to external connections with default credentials.
network
low complexity
edx mongodb CWE-254
6.5
2019-07-30 CVE-2018-20859 Cross-site Scripting vulnerability in EDX Edx-Platform
edx-platform before 2018-07-18 allows XSS via a response to a Chemical Equation advanced problem.
network
edx CWE-79
4.3
2019-07-30 CVE-2017-18380 Improper Access Control vulnerability in EDX Edx-Platform
edx-platform before 2017-08-03 allows attackers to trigger password-reset e-mail messages in which the reset link has an attacker-controlled domain name.
network
low complexity
edx CWE-284
5.0
2019-07-29 CVE-2016-10765 Improper Input Validation vulnerability in EDX Edx-Platform
edx-platform before 2016-06-10 allows account activation with a spoofed e-mail address.
network
low complexity
edx CWE-20
5.0