2012-04-17 Instructure Advisory IAC80197 - XSS Attack Vulnerabilities

Document created by jordan@instructure.com on Sep 22, 2015Last modified by Renee Carney on Sep 22, 2015
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2012-04-17  (Last update can be found below the document title)
  Description:XSS Attack Vulnerabilities
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Exposure of Sensitive Information
  • Cross Site Scripting
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Neal Poole and Nathan Partlan
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/27877a8e611dc3818e9f7bd98be151edbacd760c

https://github.com/instructure/canvas-lms/commit/b78ce5bfe3c23c5afbf6a90d6e6428c6869e5a60

https://github.com/instructure/canvas-lms/commit/634481bfaff49a5a75696d23d4db7e7b8d699148

https://github.com/instructure/canvas-lms/commit/6479b389334d7760aa2573d70c9d49e4813d3520

https://github.com/instructure/canvas-lms/commit/6ceb28a142b33ea99a9912174b5011fe44f92ef5


 

Summary:

Multiple cross-site scripting and open redirect vulnerabilities were discovered and reported by an independent audit. These vulnerabilities could allow an attacker to steal the private information of a user logged in to Canvas.

 

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patches manually. Users of Canvas CV are also encouraged to verify that they have a files_domain configured in domain.yml.

 

 


Attachments

    Outcomes