CVE-2020-13144

HIGH

Open edX Ironwood 2.5 - Unauthenticated Remote Code Execution via Custom Python Evaluated Code

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-13144. PoCs published by Daniel Monzón.

AI-analyzed exploit summary This exploit leverages a Remote Code Execution (RCE) vulnerability in OpenEDX Platform Ironwood 2.5 by injecting Python code into a custom problem component. The vulnerability arises when CodeJail is not enforced, allowing arbitrary command execution via the `os.system` function.

Description

Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution.

Exploits (1)

exploitdb WORKING POC
by Daniel Monzón · textwebappsmultiple
https://www.exploit-db.com/exploits/48500

This exploit leverages a Remote Code Execution (RCE) vulnerability in OpenEDX Platform Ironwood 2.5 by injecting Python code into a custom problem component. The vulnerability arises when CodeJail is not enforced, allowing arbitrary command execution via the `os.system` function.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenEDX Platform Ironwood 2.5
Auth required
Prerequisites: Authenticated access to the OpenEDX platform · CodeJail not enforced · Ability to create/edit course components
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://stark0de.com/2020/05/17/openedx-vulnerabilities.html

Scores

CVSS v3 8.8
EPSS 0.1096
EPSS Percentile 95.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-862 CWE-94
Status published
Products (1)
edx/open_edx_platform 2.5
Published May 18, 2020
Tracked Since Feb 18, 2026