2014-11-07 Instructure Advisory IAC31137 - Multiple stored XSS vulnerabilities*

Document created by jordan@instructure.com on Sep 22, 2015Last modified by jordan@instructure.com on Nov 2, 2015
Version 3Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2014-11-07  (Last update can be found below the document title)
  Description:

Multiple cross site scripting vulnerabilities were   discovered within the Canvas codebase during a routine security audit. The cross site scripting vulnerabilities could allow for the insertion and storage of arbitrary HTML code into the Canvas application.

  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Insertion of arbitrary HTML code
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal audit
  Relevant Changesets:

fix html escaping on content migrations page · instructure/canvas-lms@08761ca · GitHub 


 

Summary:

During a routine security audit of the Canvas code base and platform, a number of cross site scripting vulnerabilities were identified. Once identified and confirmed, these vulnerabilities were patched by the Instructure engineering team.

 

Status:

All systems were patched as of 15:32 MT on 11/6/2014

 

 


Attachments

    Outcomes