SECURITY UPDATE |  |
| Release Date: | 2019-07-11 |
| Description: | MathJax XSS Vulnerability |
| Criticality Level: | Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: | XSS (Cross Site Scripting) |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Pull request to instructure/canvas-lms · GitHub |
| Relevant Changesets: | Fix critical MathJax XSS Vulnerability · instructure/canvas-lms@148fe06 · GitHub |
Summary:
An XSS (Cross Site Scripting) vulnerability was publicly disclosed via a Pull Request to instructure/canvas-lms on GitHub. The vulnerability is due to a version of the MathJax dependency used in a Canvas component, which allows an attacker to use JavaScript to exploit this vulnerability via Canvas' Rich Text Editor.
Status:
All systems were patched as of 11:11 AM MT on 7/11/2019.
