2014-11-07 Instructure Advisory IAC31137 - Multiple stored XSS vulnerabilities*

Document created by jordan@instructure.com on Sep 22, 2015Last modified by jordan@instructure.com on Nov 2, 2015
Version 3Show Document
  • View in full screen mode


Canvas + Logo transparent (WHITE)- 300px.png


  Release Date:2014-11-07  (Last update can be found below the document title)

Multiple cross site scripting vulnerabilities were   discovered within the Canvas codebase during a routine security audit. The cross site scripting vulnerabilities could allow for the insertion and storage of arbitrary HTML code into the Canvas application.

  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Insertion of arbitrary HTML code
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal audit
  Relevant Changesets:

fix html escaping on content migrations page · instructure/canvas-lms@08761ca · GitHub 



During a routine security audit of the Canvas code base and platform, a number of cross site scripting vulnerabilities were identified. Once identified and confirmed, these vulnerabilities were patched by the Instructure engineering team.



All systems were patched as of 15:32 MT on 11/6/2014