2019-07-11 Instructure Advisory IAC26892 - MathJax XSS Vulnerability

mhillary
Instructure Alumni
Instructure Alumni
0
2012

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2019-07-11
  Description:

MathJax XSS Vulnerability

  Criticality Level:Highly Critical   ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

XSS (Cross Site Scripting)

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Pull request to instructure/canvas-lms · GitHub

  Relevant Changesets:

Fix critical MathJax XSS Vulnerability · instructure/canvas-lms@148fe06 · GitHub 


Summary:

An XSS (Cross Site Scripting) vulnerability was publicly disclosed via a Pull Request to instructure/canvas-lms on GitHub. The vulnerability is due to a version of the MathJax dependency used in a Canvas component, which allows an attacker to use JavaScript to exploit this vulnerability via Canvas' Rich Text Editor.

Status:

All systems were patched as of 11:11 AM MT on 7/11/2019.