Vulnerability Details : CVE-2015-2186
The Ansible edxapp role in the Configuration Repo in edX allows remote websites to spoof edX accounts by leveraging use of the string literal "False" instead of a boolean False for the CORS_ORIGIN_ALLOW_ALL setting. Note: this vulnerability was fixed on 2015-03-06, but the version number was not changed.
Vulnerability category: Input validation
Products affected by CVE-2015-2186
- cpe:2.3:a:edx:configuration:*:*:*:*:*:*:*:*
- cpe:2.3:a:edx:edx-platform:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-2186
0.08%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 37 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2186
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2015-2186
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2186
-
https://open.edx.org/CVE-2015-2186
Page not found - Open edXVendor Advisory
-
https://github.com/edx/configuration/pull/1885/files
Update to use for booleans. by feanil · Pull Request #1885 · edx/configuration · GitHubPatch;Third Party Advisory
Jump to