We have released a fix to avoid the password reset token leakage via the HTTP referrer header. See the attachment for a patch for the master and open-release/juniper.master branches.
Without the fix, when viewing the password reset page which currently has a password reset token, visiting any link from the page results in the complete URL(and the token) being accessible with referrer header. This allows a suspicious user to reset another user’s password. The vulnerability had been patched in Django since version 2.2.16 but the fix was being skipped due to the custom wrappers written in the codebase.
We advise you to patch your instances as soon as possible. The fix is public and exists on master and open-release/juniper.master branches on edx-platform.
If you have any questions, feel free to reach out to me.
Syed M. Dawoud Sheraz Ali
password_reset.patch (9.0 KB)