Vulnerabilities > EDX > High

DATE CVE VULNERABILITY TITLE RISK
2024-01-13 CVE-2024-22209 Unspecified vulnerability in EDX Edx-Platform
Open edX Platform is a service-oriented platform for authoring and delivering online learning.
network
low complexity
edx
8.8
8.8
2020-05-18 CVE-2020-13146 Improper Neutralization of Formula Elements in a CSV File vulnerability in EDX Open EDX Platform 2.5
Studio in Open edX Ironwood 2.5 allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature.
network
low complexity
edx CWE-1236
8.8
8.8
2020-05-18 CVE-2020-13144 Missing Authorization vulnerability in EDX Open EDX Platform 2.5
Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code.
network
low complexity
edx CWE-862
8.8
8.8
2019-07-30 CVE-2017-18381 Unspecified vulnerability in EDX Edx-Platform
The installation process in Open edX before 2017-01-10 exposes a MongoDB instance to external connections with default credentials.
network
low complexity
edx
7.2
7.2
2019-07-30 CVE-2017-18380 Improper Access Control vulnerability in EDX Edx-Platform
edx-platform before 2017-08-03 allows attackers to trigger password-reset e-mail messages in which the reset link has an attacker-controlled domain name.
network
low complexity
edx CWE-284
7.5
7.5
2019-07-29 CVE-2016-10766 Cross-Site Request Forgery (CSRF) vulnerability in EDX Edx-Platform
edx-platform before 2016-06-06 allows CSRF.
network
low complexity
edx CWE-352
8.8
8.8
2019-07-29 CVE-2015-5601 Unrestricted Upload of File with Dangerous Type vulnerability in EDX Edx-Platform
edx-platform before 2015-07-20 allows code execution by privileged users because the course import endpoint mishandles .tar.gz files.
network
low complexity
edx CWE-434
8.8
8.8
2018-02-03 CVE-2015-2186 Improper Input Validation vulnerability in EDX Configuration and Edx-Platform
The Ansible edxapp role in the Configuration Repo in edX allows remote websites to spoof edX accounts by leveraging use of the string literal "False" instead of a boolean False for the CORS_ORIGIN_ALLOW_ALL setting.
network
low complexity
edx CWE-20
7.5
7.5