|Release Date:||2012-11-26 (Last update can be found below the document title)|
|Criticality Level:||Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )|
|Systems Affected:||Canvas LMS|
|Solution Status:||Fixed in Canvas Cloud|
|Discovered By:||Himanshu Kumar Das|
Because Canvas was not protecting itself against being embedded in an iframe on another domain, it was possible for an attacker to craft a clickjacking attack (https://www.owasp.org/index.php/Clickjacking), tricking a user into performing an action in Canvas unintentionally.
Fixed in Canvas Cloud. Canvas CV users are encouraged to either update to the most recent stable code, apply the patch manually, or run the following command in a script/console session and restart canvas web processes: