CVE-2024-41806

CVSS 3.1 Score 5.3 of 10 (medium)

Details

Published Jul 25, 2024
Updated: Jul 26, 2024
CWE ID 284

Summary

CVE-2024-41806 is a vulnerability affecting the Open edX Platform, a learning management system. Instructors can upload learner information as CSV files for creating cohorts via the instructor dashboard. These files are uploaded using the django default storage, which may result in publicly accessible uploads when certain storage backends, such as master, palm, olive, nutmeg, maple, lilac, koa, or juniper, are utilized. Consequently, sensitive learner data could be exposed. To mitigate this risk, a patch (cb729a3ced0404736dfa0ae768526c82b608657b) has been implemented to ensure private write access when uploading cohorts data to Amazon S3 buckets. It's also essential for deployers to review and adjust the access control settings for existing cohorts uploads or take additional measures to prevent public access.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share