SECURITY UPDATE |  |
| Release Date: | 2014-03-11 (Last update can be found below the document title) |
| Description: | Arbitrary Enrollment Deletion |
| Criticality Level: | Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: | Restricted Privilege Escalation Manipulation of Sensitive Data |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Shea Silverman and Brandon Stull |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/a1b5d8ab1298d8aa03f8312cbb50d24a6a66dd6e |
Summary:
A bug in permissions checking could allow a malicious user to mark enrollments as deleted in a course that they wouldn't normally have access to do so in. No data would be permanently lost, as the enrollment was only soft deleted and could be restored.
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
