SECURITY UPDATE |  |
| Release Date: | 2014-09-12 (Last update can be found below the document title) |
| Description: | "View Page Source" may users' information to students in accounts with Profiles enabled |
| Criticality Level: | Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: |
|
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Reported to support by customer at 5:53 PM MT on 9/11/2014 |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/9fb07df165784207eaf2b44aecf0e26f002dd62b |
Summary:
A security issue was reported to Instructure Customer Support by a institutional customer who discovered a potential data leakage issue with Canvas. In an account with Profiles enabled, when a student pulls "view source" on another user's course-level user page (.../courses/XXXX/users/XXXX), the resulting HTML may reveal information about the other user, including their login ID, primary email address, and enrollments.
Status:
Fixed in Canvas Cloud as of 9/12/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
