CVE-2023-23611: LTI 1.3 Grade Pass Back Implementation has Missing Authorization Vulnerability
Any LTI tool that is integrated with on the Open edX platform can post a grade back for any LTI XBlock so long as it knows the resource_link_id (i.e. block location) for that XBlock.
The impact is a loss of integrity for LTI XBlock grades.
References
- github.com/advisories/GHSA-7j9p-67mm-5g87
- github.com/openedx/xblock-lti-consumer
- github.com/openedx/xblock-lti-consumer/commit/252f94bd182cd0962af9251015930cb55ec515d7
- github.com/openedx/xblock-lti-consumer/security/advisories/GHSA-7j9p-67mm-5g87
- github.com/pypa/advisory-database/tree/main/vulns/lti-consumer-xblock/PYSEC-2023-21.yaml
- nvd.nist.gov/vuln/detail/CVE-2023-23611
Code Behaviors & Features
Detect and mitigate CVE-2023-23611 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →