|Release Date:||2014-04-04 (Last update can be found below the document title)|
|Description:||Cross Account Enrollment Creation|
|Criticality Level:||Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )|
|Impact:||Exposure of Sensitive Data|
|Systems Affected:||Canvas LMS|
|Discovered By:||Kira Lawrence, Carol Cobb|
A bug in permissions checking could allow a malicious admin or teacher to enroll users in their course that they wouldn't normally be allowed to. This could allow access to basic user information.
Fixed in Canvas Cloud. Does not affect Canvas CV, as it is not multi-tenant.