CVE-2017-18380

Name of the Vulnerable Software and Affected Versions edx-platform versions prior to 2017-08-03

Description The issue allows attackers to trigger password-reset e-mail messages where the reset link has an attacker-controlled domain name. This can be exploited by attackers to potentially gain unauthorized access to user accounts.

Recommendations For versions prior to 2017-08-03, update to a version released after 2017-08-03 to resolve the issue. As a temporary workaround, consider restricting access to the password reset functionality until the update is applied.