CVE-2015-2186

Published: Feb 3, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The Ansible edxapp role in the Configuration Repo in edX allows remote websites to spoof edX accounts by leveraging use of the string literal "False" instead of a boolean False for the CORS_ORIGIN_ALLOW_ALL setting. Note: this vulnerability was fixed on 2015-03-06, but the version number was not changed.

Affected (2)

Products: Edx: Configuration, Edx Platform

2 products

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Edx Configuration	Up to 1.0
Edx Edx Platform	Up to 1.6.0

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (4)

https://github.com/edx/configuration/pull/1885/files

Source: cve@mitre.org

PatchThird Party Advisory

https://open.edx.org/CVE-2015-2186

Source: cve@mitre.org

Vendor Advisory

https://github.com/edx/configuration/pull/1885/files

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://open.edx.org/CVE-2015-2186

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.