|Release Date:||2012-01-25 (Last update can be found below the document title)|
|Description:||Admin Cross-Account Password Changing|
|Criticality Level:||Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )|
|Systems Affected:||Canvas LMS|
|Discovered By:||Internal Instructure Audit|
A vulnerability was discovered in the functionality that allows account admins to change passwords for users in their account. If there is a user with logins to both account A and account B, an admin with password changing privileges on account A could craft an HTTP request (using curl or a similar tool) that would allow the admin to change the password for that user on account B. The admin would have to discover the login (pseudonym) id for that user on account B first. This could potentially allow a malicious LMS admin to log in as a user under another account, allowing access to their private information on that second account.
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.