SECURITY UPDATE |  |
| Release Date: | 2014-11-07 (Last update can be found below the document title) |
| Description: | Multiple cross site scripting vulnerabilities were discovered within the Canvas codebase during a routine security audit. The cross site scripting vulnerabilities could allow for the insertion and storage of arbitrary HTML code into the Canvas application. |
| Criticality Level: | Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: | Insertion of arbitrary HTML code |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Internal audit |
| Relevant Changesets: | fix html escaping on content migrations page · instructure/canvas-lms@08761ca · GitHub |
Summary:
During a routine security audit of the Canvas code base and platform, a number of cross site scripting vulnerabilities were identified. Once identified and confirmed, these vulnerabilities were patched by the Instructure engineering team.
Status:
All systems were patched as of 15:32 MT on 11/6/2014
