2014-06-10 Instructure Advisory IAC08994 - XSS Attack Vulnerabilities

jordan
Instructure Alumni
Instructure Alumni
0
798

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-06-10  (Last update can be found below the document title)
  Description:SpeedGrader XSS vulnerability
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Insertion of arbitrary HTML code
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Customer reported and internal audit
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/a62bd4725084e58ac50d6e63e4b9a3eb20eecff8


Summary:

A bug in HTML validation code allowed for the insertion of arbitrary HTML code into the Canvas application.

Status:

Fixed in Canvas Cloud as of 6/10/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.