CVE-2024-41806
CVSS 3.1 Score 5.3 of 10 (medium)
Details
Summary
CVE-2024-41806 is a vulnerability affecting the Open edX Platform, a learning management system. Instructors can upload learner information as CSV files for creating cohorts via the instructor dashboard. These files are uploaded using the django default storage, which may result in publicly accessible uploads when certain storage backends, such as master, palm, olive, nutmeg, maple, lilac, koa, or juniper, are utilized. Consequently, sensitive learner data could be exposed. To mitigate this risk, a patch (cb729a3ced0404736dfa0ae768526c82b608657b) has been implemented to ensure private write access when uploading cohorts data to Amazon S3 buckets. It's also essential for deployers to review and adjust the access control settings for existing cohorts uploads or take additional measures to prevent public access.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.