The Instructure Community will enter a read-only state on November 22, 2025 as we prepare to migrate to our new Community platform in early December. Read our blog post for more info about this change.
SECURITY UPDATE |  |
| Release Date: | 2011-11-17 (Last update can be found below the document title) |
| Description: | SQL Sanitization Vulnerability |
| Criticality Level: | Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: |
|
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Securus Global |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/2183ac7e1006cbfb49a18780d1de767fd753bd45 |
Summary:
A security audit has identified a SQL injection attack vector in the file re-ordering capability, available in the users file area and the course/group file areas.
Status:
A fix to properly escape the posted user input has been developed and deployed to Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually immediately.
Community help
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign in