PT-2020-13351 · Edx · Open Edx

Published

2020-05-18

Updated

2022-04-26

CVE-2020-13144

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Open edX Ironwood version 2.5

Description The issue allows a user to execute arbitrary Python code when CodeJail is not used. This can be achieved by navigating to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, editing the problem, and executing Python code.

Recommendations For Open edX Ironwood version 2.5, consider using CodeJail to prevent arbitrary code execution. As a temporary workaround, restrict access to the "Custom Python evaluated code" feature in the Advanced tab of the Problem button until a patch is available.

Exploit

Fix

Code Injection

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-862

Related Identifiers

CVE-2020-13144

Affected Products

Open Edx

PT-2020-13351 · Edx · Open Edx

CVE-2020-13144

Weakness Enumeration

Related Identifiers

Affected Products

References · 7