2014-04-04 Instructure Advisory IAC74086 - Cross Account Enrollments

Document created by jordan@instructure.com on Sep 22, 2015Last modified by jordan@instructure.com on Sep 22, 2015
Version 2Show Document
  • View in full screen mode


Canvas + Logo transparent (WHITE)- 300px.png


  Release Date:2014-04-04  (Last update can be found below the document title)
  Description:Cross Account Enrollment Creation
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Kira Lawrence, Carol Cobb
  Relevant Changesets:

enrollments API requires pseudonym on course's root account · instructure/canvas-lms@f0a17fe · GitHub



A bug in permissions checking could allow a malicious admin or teacher to enroll users in their course that they wouldn't normally be allowed to. This could allow access to basic user information.



Fixed in Canvas Cloud. Does not affect Canvas CV, as it is not multi-tenant.