Security: Patch for security vulnerability within account search

Ali_Akbar · January 17, 2022, 12:21pm

Hello all,

We just released a change (patches are attached to this email) for a security vulnerability within account search using email. See the email attachments for a patch for edx-platform master branch and for open-release/maple.master branch.

Without this patch, it is possible to search for account info including username by using the email of a learner. Our fix disallows searching using email by regular users and restricts this feature to only staff and superusers.

We advise you to patch your instances as soon as possible. The fix has been made public and merged into the respective branches.

If you have any questions, feel free to reach out to me.

Thanks,

Ali Akbar
edX Incident Management

maple_email_account_info_vulnerability.patch.gz (4.0 KB)

MaartenGH · January 28, 2022, 6:51pm

Thank you for bringing the security issue to our attention. I have a question: which version update introduces this vulnerability? That way we can know whether we need to use the patch or not.

Topic	Replies	Views
Security: Patch for XSS vulnerability in Enrollment API view Security	385	February 7, 2022
Security: Patch for open redirect in inactive_user_view Security	369	April 8, 2022
Security patch for xss fixes Security	542	April 23, 2021
Security: IM patch for xss fixes 2 Security	432	December 10, 2020
Security: IM patch for xss fixes 4 Security	485	January 11, 2021

Security: Patch for security vulnerability within account search

Related topics