2014-11-25 Instructure Advisory IAC19325 - CSRF and XSS vulnerability within Canvas

Document created by jordan@instructure.com on Sep 22, 2015Last modified by scottd@instructure.com on Sep 22, 2015
Version 2Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2014-11-25  (Last update can be found below the document title)
  Description:CSRF and XSS vulnerability within Canvas
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Insertion and execution of arbitrary HTML code
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Reported by customer via a third-party security assessment
  Relevant Changesets:

 


 

Summary:

During a routine security audit of the Canvas code base and platform performed by a third party at the request of a csutomer, a cross site forgery request vulnerability was identified. Once identified and confirmed, the vulnerability was verified, confirmed and patched by the Instructure engineering team.

 

Status:

All systems were patched as of 17:53 MT on 11/19/2014

 

 


Attachments

    Outcomes