CVE-2023-23611

xblock-lti-consumer contain Missing Authorization in Grade Pass Back Implementation

Description

LTI Consumer XBlock implements the consumer side of the LTI specification enabling integration of third-party LTI provider tools. Versions 7.0.0 and above, prior to 7.2.2, are vulnerable to Missing Authorization. Any LTI tool that is integrated with on the Open edX platform can post a grade back for any LTI XBlock so long as it knows or can guess the block location for that XBlock. An LTI tool submits scores to the edX platform for line items. The code that uploads that score to the LMS grade tables determines which XBlock to upload the grades for by reading the resource_link_id field of the associated line item. The LTI tool may submit any value for the resource_link_id field, allowing a malicious LTI tool to submit scores for any LTI XBlock on the platform. The impact is a loss of integrity for LTI XBlock grades. This issue is patched in 7.2.2. No workarounds exist.

Category

5.4
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.15%
Third-Party Advisory github.com
Affected: openedx xblock-lti-consumer
Published at:
Updated at:

References

Link Tags
https://github.com/openedx/xblock-lti-consumer/security/advisories/GHSA-7j9p-67mm-5g87 third party advisory

Frequently Asked Questions

What is the severity of CVE-2023-23611?
CVE-2023-23611 has been scored as a medium severity vulnerability.
How to fix CVE-2023-23611?
To fix CVE-2023-23611, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-23611 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-23611 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-23611?
CVE-2023-23611 affects openedx xblock-lti-consumer.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.