2017-02-07 Instructure Advisory IAC20604 - MathML Stored XSS

Document created by Wade Billings Employee on Feb 7, 2017Last modified by Simon Williams on Feb 14, 2017
Version 3Show Document
  • View in full screen mode

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

 

  Release Date:2017-02-07
  Description:

MathML Stored XSS

  Criticality Level:Moderately Critical
  Impact:

Cross Site Scripting / Potential Exposure of Sensitive Data

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Fyoorer, as part of a bugcrowd audit

  Relevant Changesets:

prevent storing scripts in mathml href tags · instructure/canvas-lms@5f3a8938c6 · GitHub


 

Summary:

An external security audit discovered a misconfigured whitelist for protocols allowed in href attributes for MathML tags (<math href=”...”>). This allowed a potential attacker to run javascript when a mathml tag was clicked in Safari or Firefox, where MathML is supported.

 

Status:

              All systems were patched as of 11:01 MT on 2/7/2017

 


Attachments

    Outcomes