edx-platform prior to 2015-07-20 allows code execution by privileged users because the course import endpoint mishandles .tar.gz files.
edx edx-platform