Stark0De

**Name of the Vulnerable Software and Affected Versions** Open edX Studio version 2.5 **Description** The issue allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature. **Recommendations** For Open edX Studio version 2.5, consider restricting access to the "Course>Data Downloads>Reports>Download profile info" feature until a patch is available to prevent potential CSV injection attacks. Additionally, avoid adding cohorts with formulas in the Course>Instructor>Cohorts section to minimize the risk of exploitation.