Security: Patch for XXE vulnerability in course import

Hello all,

We just released a fix for a security vulnerability in course import. See the email attachment for a patch for the master, Koa and Lilac.

Without this patch, it is possible that course imports might be vulnerable to XML external entity (XXE) injection. This security patch uses code that escapes this vulnerability and fixes the XXE injection in course import.

We advise you to patch your instances as soon as possible The fix has been made public and merged into the respective branches.

If you have any questions, feel free to reach out to me.

Saad Yousaf, edX

security_xxe_fix.patch (976 Bytes)

Hello @Saad_Yousaf
I’m afraid I can’t find any attached files.

1 Like

Hi @mahyard
Sorry for missing that, I have added the patch on the post. Please let me know if you can see it now!
Thank you for pointing that out!

1 Like

Thank you @Saad_Yousaf
I’m able to see it now.