2017-02-13 Instructure Advisory IAC16627 - XXE Vulnerability in Quizzes QTI Upload

Document created by Wade Billings Employee on Feb 13, 2017Last modified by Simon Williams on Feb 14, 2017
Version 3Show Document
  • View in full screen mode


Canvas + Logo transparent (WHITE)- 300px.png


  Release Date:2017-02-13

XXE Vulnerability in Quizzes QTI Upload

  Criticality Level:Critical

Potential read only access to underlying filesystem

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Unnamed BugCrowd Security Researcher as part of an annual vulnerability assessment

  Relevant Changesets:

don't resolve entities in xml · instructure/QTIMigrationTool@729a35313c · GitHub



An external security audit discovered a vulnerability in the QTI Migration tool which is used in converting QTI version 1.x data into QTI 2.0 content packages. The vulnerability allowed read only access to the underlying filesystem. This means that a potential attacker could read files from various system level directories where configuration and system user details are stored.

An internal forensic investigation found no evidence that the vulnerability, which has existed on the system for some time, has been exploited during the time it was present on the system.



All systems were patched as of 13:21 MT on 2/3/2017