Hello all,
We just released a fix for a security vulnerability in course import. See the email attachment for a patch for the master, Koa and Lilac.
Without this patch, it is possible that course imports might be vulnerable to XML external entity (XXE) injection. This security patch uses code that escapes this vulnerability and fixes the XXE injection in course import.
We advise you to patch your instances as soon as possible The fix has been made public and merged into the respective branches.
If you have any questions, feel free to reach out to me.
Thanks,
Saad Yousaf, edX
security_xxe_fix.patch (976 Bytes)