CVE-2015-2186

HIGH

edx/configuration - Account Spoofing via CORS_ORIGIN_ALLOW_ALL String Literal Misconfiguration

Title source: llm
STIX 2.1

Description

The Ansible edxapp role in the Configuration Repo in edX allows remote websites to spoof edX accounts by leveraging use of the string literal "False" instead of a boolean False for the CORS_ORIGIN_ALLOW_ALL setting. Note: this vulnerability was fixed on 2015-03-06, but the version number was not changed.

References (2)

Core 2
Core References
Vendor Advisory x_refsource_confirm
https://open.edx.org/CVE-2015-2186
Patch, Third Party Advisory x_refsource_confirm
https://github.com/edx/configuration/pull/1885/files

Scores

CVSS v3 7.5
EPSS 0.0113
EPSS Percentile 62.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-20
Status published
Products (2)
edx/configuration < 1.0
edx/edx-platform < 1.6.0
Published Feb 03, 2018
Tracked Since Feb 18, 2026