Community

Community FAQ
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

2019-02-14 Instructure Advisory IAC93493 - ePortfolio Export Vulnerability

mhillary
Community Member
0 0 587
‎02-14-2019 12:04 PM

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2019-02-14
  Description:

ePortfolio Export Vulnerability

  Criticality Level:Highly Critical   ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Broken Access Control (BAC)  /  Insecure Direct Object References (IDOR)

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Defektive (Security Researcher)

  Relevant Changesets:

ensure user can read eportfolio files before zipping them up · instructure/canvas-lms@8df2da8622 · G...

Summary:

A security researcher supporting our ongoing bug bounty program hosted by BugCrowd identified a vulnerability in ePortfolios, which allowed an authenticated user to access files not owned by the user as part of an ePortfolio export.  

Status:

All systems were patched as of 8:17 PM MT on 2/11/2019.

0 Kudos
About the Author

Matt Hillary

An amazing Canvas Community member!

Labels