The openedx-platform before commit 76462f1e5fa9b37d2621ad7ad19514b403908970 contains an open redirect vulnerability (CWE-601) in the view_survey endpoint. The redirect_url GET parameter is not validated before being passed to HttpResponseRedirect(), allowing attackers to craft URLs that redirect users to arbitrary external sites. When a non-existent survey name is requested, the server issues an immediate HTTP 302 redirect to the attacker-controlled URL. Furthermore, the same unvalidated URL is included in a hidden form field returned in a JSON response, where client-side JavaScript executes location.href = url, reinforcing the redirect. This behavior can be exploited for phishing and credential theft against authenticated users. The vulnerability is addressed by the referenced commit that adds proper validation.

This vulnerability allows attackers to redirect users to malicious external websites via crafted URLs, facilitating phishing and credential theft attacks against authenticated Open edX users. The impact is limited to user redirection and does not directly affect confidentiality, integrity, or availability of the platform itself. The CVSS score of 4.7 reflects a medium severity level with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low confidentiality impact.

A fix for this vulnerability is available and implemented in commit 76462f1e5fa9b37d2621ad7ad19514b403908970. Users and administrators of openedx-platform should upgrade to this commit or a later version that includes the fix. No additional mitigation is indicated by the vendor advisory. Patch status is confirmed by the vendor commit reference.