Security: Patch for security vulnerability within account search

Ali_Akbar · January 17, 2022, 12:21pm

Hello all,

We just released a change (patches are attached to this email) for a security vulnerability within account search using email. See the email attachments for a patch for edx-platform master branch and for open-release/maple.master branch.

Without this patch, it is possible to search for account info including username by using the email of a learner. Our fix disallows searching using email by regular users and restricts this feature to only staff and superusers.

We advise you to patch your instances as soon as possible. The fix has been made public and merged into the respective branches.

If you have any questions, feel free to reach out to me.

Thanks,

Ali Akbar
edX Incident Management

maple_email_account_info_vulnerability.patch.gz (4.0 KB)

MaartenGH · January 28, 2022, 6:51pm

Thank you for bringing the security issue to our attention. I have a question: which version update introduces this vulnerability? That way we can know whether we need to use the patch or not.

Topic		Replies	Views
Security: Patch for open redirect in inactive_user_view Security	0	337	April 8, 2022
Security: Patch for disable user refreshable JWT token vulnerability Security	1	229	December 12, 2022
Security: Patch for LMS user API Security	0	380	August 11, 2021
Security: Patch for logout page XSS vulnerability Security	1	3110	June 7, 2022
Security: patch for password reset Security	0	579	October 7, 2020

Security: Patch for security vulnerability within account search

Related Topics