Hello all,
We have released a patch (which is linked below) for a security vulnerability in edxapp.
Affected repo: edx-platform
Branches: Ironwood, master
Due to this bug, CustomTagModule will execute arbitrary Mako templates that are imported as part of course's OLX. Since Mako templates can contain any Python code, we were allowing arbitrary Python code execution by course staff. This is an obscure Xmodule that has existed since the earliest prototype days of OpenEdx.
Without this patch, course teams could exploit the venerability by creating custom Mako templates in their course OLX. It can be used to import, display secret, run database queries and elevate privileges. The few cases we have looked so far, it has only been used as it was intended to be.
We advise you to patch your instances as soon as possible and if you have any questions, feel free to reach out.