cancel
Showing results for 
Search instead for 
Did you mean: 

2019-02-14 Instructure Advisory IAC93493 - ePortfolio Export Vulnerability

mhillary
Community Member
0 0 587

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2019-02-14
  Description:

ePortfolio Export Vulnerability

  Criticality Level:Highly Critical   ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Broken Access Control (BAC)  /  Insecure Direct Object References (IDOR)

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Defektive (Security Researcher)

  Relevant Changesets:

ensure user can read eportfolio files before zipping them up · instructure/canvas-lms@8df2da8622 · G...


Summary:

A security researcher supporting our ongoing bug bounty program hosted by BugCrowd identified a vulnerability in ePortfolios, which allowed an authenticated user to access files not owned by the user as part of an ePortfolio export.  

Status:

All systems were patched as of 8:17 PM MT on 2/11/2019.

Labels