PT-2019-8315 · Edx · Edx-Platform
Published
2019-07-30
·
Updated
2020-01-07
·
CVE-2017-18380
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
edx-platform versions prior to 2017-08-03
Description
The issue allows attackers to trigger password-reset e-mail messages where the reset link has an attacker-controlled domain name. This can be exploited by attackers to potentially gain unauthorized access to user accounts.
Recommendations
For versions prior to 2017-08-03, update to a version released after 2017-08-03 to resolve the issue. As a temporary workaround, consider restricting access to the password reset functionality until the update is applied.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Edx-Platform