Security: Patch for XXE vulnerability in course import

Saad_Yousaf · August 12, 2021, 10:12am

Hello all,

We just released a fix for a security vulnerability in course import. See the email attachment for a patch for the master, Koa and Lilac.

Without this patch, it is possible that course imports might be vulnerable to XML external entity (XXE) injection. This security patch uses code that escapes this vulnerability and fixes the XXE injection in course import.

We advise you to patch your instances as soon as possible The fix has been made public and merged into the respective branches.

If you have any questions, feel free to reach out to me.

Thanks,
Saad Yousaf, edX

security_xxe_fix.patch (976 Bytes)

mahyard · August 13, 2021, 9:00pm

Hello @Saad_Yousaf
I’m afraid I can’t find any attached files.

Saad_Yousaf · August 14, 2021, 9:50am

Hi @mahyard
Sorry for missing that, I have added the patch on the post. Please let me know if you can see it now!
Thank you for pointing that out!

mahyard · August 14, 2021, 9:51am

Thank you @Saad_Yousaf
I’m able to see it now.

Topic		Replies	Views
Question about Course Import Feature Site Operators koa	5	538	December 7, 2021
Student access error in imported courses Site Operations Help	2	442	May 23, 2022
Course Updates converted to welcome message, with no replacement - OUCH Design	3	951	August 15, 2019
Course Import File Not happening over Chrome browser Tutor Help	2	88	April 19, 2024
Content issue in Open edX tutor Quince Site Operators tutor , quince	2	108	March 12, 2024

Security: Patch for XXE vulnerability in course import

Related Topics