|Release Date:||2014-03-11 (Last update can be found below the document title)|
Arbitrary Enrollment Deletion
Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
Restricted Privilege Escalation
Manipulation of Sensitive Data
Shea Silverman and Brandon Stull
A bug in permissions checking could allow a malicious user to mark enrollments as deleted in a course that they wouldn't normally have access to do so in. No data would be permanently lost, as the enrollment was only soft deleted and could be restored.
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.