We just released a change (the patch is attached to this email) for a security (Stored XSS) vulnerability within Open edX discussions. See the attachment for the patch for master, for Lilac, and for Koa.
- Inject malicious script through the web browser
- Steal browser cookies, session tokens, and other sensitive information
- Modify the contents of the webpage.
We advise you to patch your instances as soon as possible. The fix has been made public and merged into the respective branches. If you have any questions, feel free to reach out to me.
discussion_xss_fix.patch (1.1 KB)