Security: Patch for xss issue

We just released patches for possible cross-site scripting (XSS) vulnerability in edx-platform studio Files and Schedule, Details page, studio course, and library page and edit chapter page.

The patch was applied to both master and ironwood branches.

Affected Repo: edx-platform

Branches: Ironwood, master

Without this patch, it was possible to execute scripts if they are present in error messages on Files and Uploads page, as a result, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser.

We have merged this fix in our public repository and to the Open edX branch (open-release/ironwood.master).

upload_xss.patch (1.4 KB) library_xss.patch (1.5 KB)

2 Likes

Thanks for these security patch announcements. They’re extremely useful!

However, at OpenCraft we have dozens of customer deployments that need to be updated whenever one of these comes out. It would make ours, and likely many community members’, lives a whole lot easier if when these updates come down the pipes, they were rolled-up into predictable chunks. Say, one announcement per week, for instance. That way, we can safely allocate time for at most one security redeployment in that same timeframe.

In contrast, when this one was announced, it was but one day after the previous one. We all had to scramble to redeploy again, lest we risk customers being exposed to exploitations resulting from the announcement itself.

Thoughts?

3 Likes