Security: Patch for XXE vulnerability in course import

Saad_Yousaf · August 12, 2021, 10:12am

Hello all,

We just released a fix for a security vulnerability in course import. See the email attachment for a patch for the master, Koa and Lilac.

Without this patch, it is possible that course imports might be vulnerable to XML external entity (XXE) injection. This security patch uses code that escapes this vulnerability and fixes the XXE injection in course import.

We advise you to patch your instances as soon as possible The fix has been made public and merged into the respective branches.

If you have any questions, feel free to reach out to me.

Thanks,
Saad Yousaf, edX

security_xxe_fix.patch (976 Bytes)

mahyard · August 13, 2021, 9:00pm

Hello @Saad_Yousaf
I’m afraid I can’t find any attached files.

Saad_Yousaf · August 14, 2021, 9:50am

Hi @mahyard
Sorry for missing that, I have added the patch on the post. Please let me know if you can see it now!
Thank you for pointing that out!

mahyard · August 14, 2021, 9:51am

Thank you @Saad_Yousaf
I’m able to see it now.

Topic		Replies	Views
Security: Patch for XSS vulnerability in Enrollment API view Security	0	385	February 7, 2022
Bug in course import - fixed! Site Operators	4	1190	February 12, 2020
Security patch for xss fixes Security	0	542	April 23, 2021
Security: patch for XSS vulnerability within Open edX discussions Security	0	730	August 6, 2021
Security: IM patch for xss fixes 2 Security	0	432	December 10, 2020

Security: Patch for XXE vulnerability in course import

Related topics