Security: Patch for security vulnerability within account search

Hello all,

We just released a change (patches are attached to this email) for a security vulnerability within account search using email. See the email attachments for a patch for edx-platform master branch and for open-release/maple.master branch.

Without this patch, it is possible to search for account info including username by using the email of a learner. Our fix disallows searching using email by regular users and restricts this feature to only staff and superusers.

We advise you to patch your instances as soon as possible. The fix has been made public and merged into the respective branches.

If you have any questions, feel free to reach out to me.

Thanks,

Ali Akbar
edX Incident Management

maple_email_account_info_vulnerability.patch.gz (4.0 KB)

1 Like

Thank you for bringing the security issue to our attention. I have a question: which version update introduces this vulnerability? That way we can know whether we need to use the patch or not.