CVE-2023-23611

Name of the Vulnerable Software and Affected Versions LTI Consumer XBlock versions 7.0.0 through 7.2.2

Description The LTI Consumer XBlock implements the consumer side of the LTI specification, enabling integration of third-party LTI provider tools. Any LTI tool integrated with the Open edX platform can post a grade back for any LTI XBlock if it knows or can guess the block location for that XBlock. An LTI tool submits scores to the edX platform for line items, and the code that uploads the score to the LMS grade tables determines which XBlock to upload the grades for by reading the resource link id field of the associated line item. A malicious LTI tool can submit scores for any LTI XBlock on the platform by submitting any value for the resource link id field. The impact is a loss of integrity for LTI XBlock grades.

Recommendations Update to version 7.2.2 to resolve the issue. As a temporary workaround, consider restricting access to the resource link id field to minimize the risk of exploitation. Avoid using the resource link id field in the affected API endpoint until the issue is resolved.