SECURITY UPDATE |  |
| Release Date: | 2012-11-26 (Last update can be found below the document title) |
| Description: | Clickjacking Vulnerability |
| Criticality Level: | Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: |
|
| Systems Affected: | Canvas LMS |
| Solution Status: | Fixed in Canvas Cloud |
| Discovered By: | Himanshu Kumar Das |
| Relevant Changesets: | Canvas: https://github.com/instructure/canvas-lms/commit/6ec1f7097348a936f3fa73ff5652c7071f8441bf |
Summary:
Because Canvas was not protecting itself against being embedded in an iframe on another domain, it was possible for an attacker to craft a clickjacking attack (https://www.owasp.org/index.php/Clickjacking), tricking a user into performing an action in Canvas unintentionally.
Status:
Fixed in Canvas Cloud. Canvas CV users are encouraged to either update to the most recent stable code, apply the patch manually, or run the following command in a script/console session and restart canvas web processes:
Setting.set('block_html_frames', 'true')
