CVE-2026-42857— Open edX Platform 跨站脚本漏洞

Open edX Platform: Stored CSS Injection in Email Notifications via Incomplete HTML Sanitization

Open edX Platform enables the authoring and delivery of online learning at any scale. The HTML sanitizer clean_thread_html_body() used for discussion notification emails fails to remove <style> tags from user-generated discussion post content. This content is rendered with Django's |safe template filter in email notification templates, allowing any enrolled student to inject arbitrary CSS into email notifications sent to other users. This enables email tracking (IP address disclosure), content spoofing, and phishing attacks. This vulnerability is fixed with commit cddc25cd791bb78f76833896e4778f668861df12.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Open edX Platform 跨站脚本漏洞

Open edX Platform是Open edX开源的一套开源的课程管理系统（CMS）。该系统可用于MOOCs（大规模网络开放课程）以及较小的课程和培训模块。 Open edX Platform存在跨站脚本漏洞，该漏洞源于HTML清理器clean_thread_html_body未移除用户生成讨论内容中的style标签，且内容使用Django |safe模板过滤器渲染，可能导致任意注册学生注入任意CSS到邮件通知中。

N/A

N/A