Community

Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

2014-09-12 Instructure Advisory IAC25534 - Potential data leakage via HTML source in accounts with Profiles enabled

jordan
Community Champion
0 0 187
‎09-22-2015 12:29 PM

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-09-12  (Last update can be found below the document title)
  Description:"View Page Source" may users' information to students in accounts with Profiles enabled
  Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:
  • Possible unauthorized access to users' information
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Reported to support by customer at 5:53 PM MT on 9/11/2014
  Relevant Changesets:

https://github.com/instructure/canvas-lms/commit/9fb07df165784207eaf2b44aecf0e26f002dd62b

Summary:

A security issue was reported to Instructure Customer Support by a institutional customer who discovered a potential data leakage issue with Canvas. In an account with Profiles enabled, when a student pulls "view source" on another user's course-level user page (.../courses/XXXX/users/XXXX), the resulting HTML may reveal information about the other user, including their login ID, primary email address, and enrollments.

Status:

Fixed in Canvas Cloud as of 9/12/2014. Users of Canvas CV are encouraged to either update to the most recent stable code or apply the patch manually.

0 Kudos
About the Author

Jordan Dayton

Jordan has had various roles in the ed tech software (SAAS) industry for the past 9 years. (almost 5 years with Instructure). In his previous company he was a Client Services Manager for two years (responsible for account management, implementation, project management, and training, for each of his customers). After a year and a half he was commissioned to build a training department, all policies and procedures, and deliver training for all customers. Over the past eight years he has been in charge of conceiving, producing and deploying eLearning initiatives and strategies. He has trained over 3,000 adult learners with a wide range of technical aptitude, including K-12 Teachers, Principals, Administrators, Superintendents, Higher Ed Professors, Doctors, CTO’s, and Corporate Business Professionals and Executives. Jordan is an instructional designer and Community Manager for Instructure with a focus on connecting Canvas users with tools and resources that will help them get excited about and become proficient in utilizing the Canvas Learning Platform.

Labels