We just released patches for possible cross-site scripting (XSS) vulnerability in edx-platform studio Files and Schedule, Details page, studio course, and library page and edit chapter page.
The patch was applied to both master and ironwood branches.
Affected Repo: edx-platform
Branches: Ironwood, master
Without this patch, it was possible to execute scripts if they are present in error messages on Files and Uploads page, as a result, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser.
We have merged this fix in our public repository and to the Open edX branch (open-release/ironwood.master).