2014-09-12 Instructure Advisory IAC25534 - Potential data leakage via HTML source in accounts with Profiles enabled

Document created by jordan@instructure.com on Sep 22, 2015Last modified by biray@instructure.com on Sep 22, 2015
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2014-09-12  (Last update can be found below the document title)
  Description:"View Page Source" may users' information to students in accounts with Profiles enabled
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Possible unauthorized access to users' information
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Reported to support by customer at 5:53 PM MT on 9/11/2014
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/9fb07df165784207eaf2b44aecf0e26f002dd62b


 

Summary:

A security issue was reported to Instructure Customer Support by a institutional customer who discovered a potential data leakage issue with Canvas. In an account with Profiles enabled, when a student pulls "view source" on another user's course-level user page (.../courses/XXXX/users/XXXX), the resulting HTML may reveal information about the other user, including their login ID, primary email address, and enrollments.

 

Status:

Fixed in Canvas Cloud as of 9/12/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.

 

 


Attachments

    Outcomes