漏洞标题
开放edX平台的导师上传CSV用于创建批次,默认情况下并非私有
漏洞描述信息
开放的edX平台是一个学习管理系统。教师可以通过在讲师仪表板中创建群体来上传包含学习者信息的csv文件。这些文件使用django默认存储进行上传。在某些存储后端中,当上传者使用版本master、palm、olive、nutmeg、maple、lilac、koa或juniper时,上传可能会变得公开可用。在提交cb729a3ced0404736dfa0ae768526c82b608657b中的补丁确保了上传到AWS S3桶的群体数据以私有ACL进行编写。除了进行补丁之外,部署者还应确保现有的群体上传具有私有ACL,或者采取其他预防措施以避免公开访问。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
漏洞类别
危险类型文件的不加限制上传
漏洞标题
Open edX Platform's instructor upload CSV for cohort creation not Private by Default
漏洞描述信息
The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become publicly available when the uploader uses versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper. The patch in commit cb729a3ced0404736dfa0ae768526c82b608657b ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL. Beyond patching, deployers should also ensure that existing cohorts uploads have a private ACL, or that other precautions are taken to avoid public access.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
漏洞类别
访问控制不恰当
漏洞标题
Open edX Platform 安全漏洞
漏洞描述信息
Open edX Platform是Open edX开源的一套开源的课程管理系统(CMS)。该系统可用于MOOCs(大规模网络开放课程)以及较小的课程和培训模块。 Open edX Platform存在安全漏洞,该漏洞源于对于某些存储后端,上传内容可能会公开。
CVSS信息
N/A
漏洞类别
其他