Home > Vulnerability Database > CVE-2024-41806

Mend.io Vulnerability Database

CVE-2024-41806

Date: July 25, 2024

The Open edX Platform is a learning management platform. Instructors can upload csv files containing learner information to create cohorts in the instructor dashboard. These files are uploaded using the django default storage. With certain storage backends, uploads may become publicly available when the uploader uses versions master, palm, olive, nutmeg, maple, lilac, koa, or juniper. The patch in commit cb729a3ced0404736dfa0ae768526c82b608657b ensures that cohorts data uploaded to AWS S3 buckets is written with a private ACL. Beyond patching, deployers should also ensure that existing cohorts uploads have a private ACL, or that other precautions are taken to avoid public access.

Language: Python

Severity Score

5.3

Related Resources (4)

Url: https://github.com/openedx/edx-platform/commit/cb729a3ced0404736dfa0ae768526c82b608657b

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-41806

Url: https://github.com/openedx/edx-platform/security/advisories/GHSA-4528-7fh6-x75c

Url: https://www.mend.io/vulnerability-database/CVE-2024-41806

Severity Score

5.3

Weakness Type (CWE)

Improper Access Control

CWE-284

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-41806

Date: July 25, 2024

Language: Python

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?