2014-06-05 Instructure Advisory IAC06959 - Course Copy Exploit

jordan
Instructure Alumni
Instructure Alumni
0
723

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-06-05  (Last update can be found below the document title)
  Description:Course Copy Exploit
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Internal Audit
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/937d87a01bfd8aed04e7e54b13620d359872f871


Summary:

A bug in permissions checking could allow a malicious user to initiate a course copy using a source course they do not normally have access to. This could allow access to course content that the user would not normally see.

Status:

Fixed in Canvas Cloud. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.