We just released a change (patches are attached to this email) for a security vulnerability in our third-party authentication flow. See the email attachments for a patch for the current release and for maple.
This patch closes an open redirect vulnerability in the view used for users who have authenticated via a third party but not yet activated their actual edx account. The patch checks the url in the
next parameter against a whitelist (that may vary based on the source of authentication) before proceeding.
These fixes are already public on the openedx edx-platform and maple master branch. If you are using master or maple, please update or apply the patch as soon as possible.
maple_inactive_user_view.patch.gz (1.4 KB)
inactive_user_view.patch.gz (1.4 KB)
P.S. Patch is attached in gzip form to prevent Google Groups from modifying the patch’s line endings.