Security: Patch for XSS vulnerability in Enrollment API view

Hello all,

We just released a change (patches are attached to this email) for a security vulnerability with course import. See the email attachments for a patch for edx-platform master and for the current release open-release/maple.master.

Without this patch, a user (despite it being a staff user) may receive a vulnerable error message generated from the vulnerable form data. We’ve properly escaped the incoming malicious input from the frontend which makes it safe for the future use if we ever have to change the access from Support Staff to any other user role.

We advise you to patch your instances as soon as possible. The patch has been applied and merged into the respective branches.

If you have any questions, feel free to reach out to me.


Ali Akbar

edx Incident Management

P.S. Patch is attached in gzip form to prevent Google Groups from modifying the patch’s line endings.

master_enrollment_view_fix.patch.gz (2.1 KB)
maple_enrollment_view_fix.patch.gz (1.5 KB)

1 Like