SECURITY UPDATE |  |
| Release Date: | 2014-05-01 (Last update can be found below the document title) |
| Description: | Cross Account Login Creation |
| Criticality Level: | Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: | Exposure of Sensitive Data |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Internal Audit |
| Relevant Changesets: | fix permission checks around pseudonym creation · instructure/canvas-lms@19d4d95 · GitHub |
Summary:
A bug in permissions checking could allow a malicious user to create logins in accounts that they wouldn't normally be allowed to. This could allow access to basic account information, depending on authentication settings.
Status:
Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
