Security patch for edit_chapter xss lint issues

Ali_Akbar · May 4, 2020, 6:46am

Hello all,

We have released a patch (which is attached to this email) for cross-site scripting (XSS) vulnerability in edx-platform edit chapter page.

Affected repo: edx-platform
Branches: Ironwood, master

Without this patch, it was possible to execute scripts if they are present in error messages in edit chapter page, as a result, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser.

We advise you to patch your instances as soon as possible; We have merged the fix to our public repo. Let us know if you have any questions.

Thank you,

Ali Akbar
Sustaining Mavericks

ironwood_xss_lint.patch (907 Bytes)

Sandesh_Yadav · May 4, 2020, 8:05am

Thank you for the update but there is no attachment to the email I received. Am I missing something?

Ali_Akbar · May 4, 2020, 9:36am

I’m sorry about that. I’ve edited the post and attached the patch with it.

regis · May 4, 2020, 9:48am

Thanks @Ali_Akbar for this announcement. As of now, the patch has not landed in ironwood.master (currently at 1b3b4d0). It’s much more convenient to pull a patch from a git repo than from a discourse post – could someone please merge it?

nedbat · May 5, 2020, 10:04am

I’ve cherry-picked this and two other recent XSS fixes to Ironwood.

Topic		Replies	Views
Security: Patch for xss issue Security	1	799	May 18, 2020
Sustaining security fixes 3 Security	3	476	September 2, 2020
Security patch for xsslint fixes Security	5	796	June 19, 2020
Security patch for xss fixes Security	1	538	July 23, 2020
Security: patch for xss fixes Security	0	540	October 7, 2020

Security patch for edit_chapter xss lint issues

Related topics