PT-2020-13353 · Edx · Open Edx Studio

Stark0De

Published

2020-05-18

Updated

2021-07-21

CVE-2020-13146

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Open edX Studio version 2.5

Description The issue allows CSV injection because an added cohort in Course>Instructor>Cohorts may contain a formula that is exported via the "Course>Data Downloads>Reports>Download profile info" feature.

Recommendations For Open edX Studio version 2.5, consider restricting access to the "Course>Data Downloads>Reports>Download profile info" feature until a patch is available to prevent potential CSV injection attacks. Additionally, avoid adding cohorts with formulas in the Course>Instructor>Cohorts section to minimize the risk of exploitation.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1236

Related Identifiers

CVE-2020-13146

Affected Products

Open Edx Studio

PT-2020-13353 · Edx · Open Edx Studio

CVE-2020-13146

Weakness Enumeration

Related Identifiers

Affected Products

References · 4