A critical privilege escalation vulnerability exists in The Open edX Platform, allowing users with a limited staff role to gain unauthorized access to and edit course content. This flaw could lead to unauthorized modification of educational materials, compromising data integrity and disrupting the learning environment. Organizations using the affected platform are at high risk of data breaches and reputational damage.

This is an Improper Access Control vulnerability. The CourseLimitedStaffRole is intended to have restricted permissions and no access to the "Studio" course authoring interface. However, if this role is improperly assigned at an organizational level instead of a specific course level, the access control checks fail. This allows a user with this role to bypass intended restrictions, granting them the ability to list, access, and, most critically, edit courses within the Studio interface, effectively escalating their privileges to that of a course author or editor.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Exploitation could have a severe impact on the organization's core operations and reputation. An attacker with a compromised or maliciously assigned CourseLimitedStaffRole account could alter, delete, or exfiltrate sensitive course content and intellectual property. This unauthorized modification compromises the integrity of educational materials, could be used to spread misinformation to students, and disrupts the platform's function, leading to a loss of trust from users and stakeholders.

Immediate Action: Immediately apply the patch associated with commit 05d0d0936daf82c476617257aa6c35f0cd4ca060 by updating The Open edX Platform to the latest secure version as recommended by the vendor. After patching, it is crucial to review access logs for any evidence of unauthorized access or modification to course content originating from accounts with the CourseLimitedStaffRole.

Proactive Monitoring: Implement enhanced logging and alerting for the Studio interface. Specifically, monitor for any access or modification activities performed by users assigned the CourseLimited-StaffRole. Regularly audit user role assignments to ensure roles are not being granted at a broader scope (organization-level) than intended (course-level).

Compensating Controls: If immediate patching is not feasible, conduct an urgent audit of all user accounts. Identify and revoke any CourseLimitedStaffRole assignments made at the organization level. Re-assign these roles at the correct, more restrictive course-by-course level. Implement network segmentation or a Web Application Firewall (WAF) rule to block or alert on attempts by these users to access Studio-related URLs.

Public Exploit Available: false

Given the critical CVSS score of 9.9, this vulnerability poses a significant and immediate threat to the confidentiality and integrity of the educational platform. We strongly recommend that organizations apply the vendor-provided patch without delay. While this CVE is not currently listed on the CISA KEV list, its severity warrants treating it with the highest priority. In parallel with patching, a thorough audit of user roles and permissions should be conducted to identify and correct any misconfigurations that could be exploited.