SECURITY UPDATE |  |
| Release Date: | 2014-09-12 (Last update can be found below the document title) |
| Description: | "View Page Source" may users' information to students in accounts with Profiles enabled |
| Criticality Level: | Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: |
|
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Reported to support by customer at 5:53 PM MT on 9/11/2014 |
| Relevant Changesets: | https://github.com/instructure/canvas-lms/commit/9fb07df165784207eaf2b44aecf0e26f002dd62b |
Summary:
A security issue was reported to Instructure Customer Support by a institutional customer who discovered a potential data leakage issue with Canvas. In an account with Profiles enabled, when a student pulls "view source" on another user's course-level user page (.../courses/XXXX/users/XXXX), the resulting HTML may reveal information about the other user, including their login ID, primary email address, and enrollments.
Status:
Fixed in Canvas Cloud as of 9/12/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign in
