Hello all,
We just released a change (the patch is attached to this email) for a security (Stored XSS) vulnerability within Open edX discussions. See the attachment for the patch for master, for Lilac, and for Koa.
Without this patch, it is possible to create a discussion posts containing malicious JS embedded as LaTeX that can execute on a user click. A malicious user can leverage that to execute arbitrary javascript code to
- Inject malicious script through the web browser
- Steal browser cookies, session tokens, and other sensitive information
- Modify the contents of the webpage.
The fix strips out (removes) javascript code from latex input and prevents attackers from embedding javascript with latex input.
We advise you to patch your instances as soon as possible. The fix has been made public and merged into the respective branches. If you have any questions, feel free to reach out to me.
Thanks,
Awais Jibran
discussion_xss_fix.patch (1.1 KB)