SECURITY UPDATE |  |
| Release Date: | 2014-05-08 (Last update can be found below the document title) |
| Description: | SQL Sanitization Vulnerability |
| Criticality Level: | Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: |
Authentication Level: Logged in Canvas admins and instructors |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Instructure Internal Audit |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/1f231d1369a4fbfeac4211524210b87d6e1a669a |
Summary:
A security audit has identified a SQL injection attack vector in the course import functionality, available to account admins and instructors.
Status:
A fix has been developed and deployed to Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
