edx-platform before 2016-06-10 allows account activation with a spoofed e-mail address.

edx-platform before 2016-06-06 allows CSRF.

edx-platform before 2015-09-17 allows XSS via a team name.

edx-platform before 2015-08-17 allows XSS in the Studio listing of courses.

edx-platform before 2015-07-20 allows code execution by privileged users because the course import endpoint mishandles .tar.gz files.

The Ansible edxapp role in the Configuration Repo in edX allows remote websites to spoof edX accounts by leveraging use of the string literal "False" instead of a boolean False for the CORS_ORIGIN_ALLOW_ALL setting. Note: this vulnerability was fixed on 2015-03-06, but the version number was not changed.

Open edX edx-platform before 2015-08-25 requires use of the database for storage of SAML SSO secrets, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging access to a database backup.

lms/templates/footer-edx-new.html in Open edX edx-platform before 2015-01-29 does not properly restrict links on the password-reset page, which allows user-assisted remote attackers to discover password-reset tokens by reading a referer log after a victim navigates from this page to a social-sharing site.

SpeedXess HA-120 DSL router has a default administrative password of "speedxess", which allows remote attackers to gain access.