Canvas Security Updates

mspencer_inst · 2020-08-11

An unauthenticated blind SSRF (Server Side Request Forgery) vulnerability was identified and disclosed by a Tenable Security researcher. The vulnerability is due to not requiring LTI tools to sign requests to the server, allowing crafted API calls fr...

mhillary · 2019-07-11

SECURITY UPDATE Release Date:2019-07-11 Description:MathJax XSS Vulnerability Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) Impact:XSS (Cross Site Scripting) Systems Affected:Canvas ...

mhillary · 2019-02-14

SECURITY UPDATE Release Date:2019-02-14 Description:ePortfolio Export Vulnerability Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) Impact:Broken Access Control (BAC) / Insecure Direc...

mhillary · 2019-01-30

SECURITY UPDATE Release Date:2019-01-31 Description:Multiple XSS Vulnerabilities in Canvas Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) Impact:Stored Cross Site Scripting / Potential...

mhillary · 2018-01-10

SECURITY UPDATE Release Date:2018-01-10 Description:Response to Meltdown and Spectre Vulnerabilities Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) Impact:These hardware vulnerabilities ...

simon · 2017-11-09

SECURITY UPDATE Release Date:2017-11-09 Description:Two open redirect issues found in LTI tool handling Criticality Level:Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) Impact:A victim clicking a malicious link ...

wbillings · 2017-02-13

SECURITY UPDATE Release Date:2017-02-13 Description:XXE Vulnerability in Quizzes QTI Upload Criticality Level:Critical Impact:Potential read only access to underlying filesystem Systems Affected:Canvas LMS Solution Status:Patched Discovere...

wbillings · 2017-02-07

SECURITY UPDATE Release Date:2017-02-07 Description:MathML Stored XSS Criticality Level:Moderately Critical Impact:Cross Site Scripting / Potential Exposure of Sensitive Data Systems Affected:Canvas LMS Solution Status:Patched Discovered B...

wbillings · 2017-01-11

SECURITY UPDATE Release Date:2017-01-11 Description:Arbitrary Collaboration Enrollment Criticality Level:Highly Critical Impact:Potential Exposure of Sensitive Data Systems Affected:Canvas LMS Solution Status:Patched Discovered By:Internal...

wbillings · 2016-06-01

SECURITY UPDATE Release Date:2016-06-01 Description:Developer Key Privilege Escalation Criticality Level:Very High Impact:Potential manipulation of developer keys / Identity forgery Systems Affected:Potential impact includes all developer ke...

wbillings · 2016-03-07

SECURITY UPDATE Release Date:2016-03-07 Description:SSLv2 DROWN Attack Criticality Level:High Impact:Potential Exposure of Sensitive Data Systems Affected:Potential impact includes all platforms/sites protected by HTTPS Solution Status:Clos...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-11-07 (Last update can be found below the document title) Description:Multiple stored XSS vulnerabilities Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Criti...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-11-25 (Last update can be found below the document title) Description:CSRF and XSS vulnerability within Canvas Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly C...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-11-07 (Last update can be found below the document title) Description:Multiple cross site scripting vulnerabilities were discovered within the Canvas codebase during a routine security audit. The cross site ...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-1-14 (Last update can be found below the document title) Description:A vulnerability was discovered in SSLv3 which could allow a remote attacker to force a TLS downgrade negotiation, which could result in SSLv...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-10-13 (Last update can be found below the document title) Description:A path traversal vulnerability was discovered which potentially allowed for limited traversal of the host server’s filesystem and possible ...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-09-24 (Last update can be found below the document title) Description:GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote atta...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-09-12 (Last update can be found below the document title) Description:"View Page Source" may users' information to students in accounts with Profiles enabled Criticality Level:Moderately Critical ( Less Criti...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-07-24 (Last update can be found below the document title) Description:Boundary issues with rubyzip gem Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-07-11 (Last update can be found below the document title) Description:Inadvertent preview of locked files Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critic...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-06-27 (Last update can be found below the document title) Description:Vulnerability in Ruby's implementation of SAML Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Hi...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-06-10 (Last update can be found below the document title) Description:SpeedGrader XSS vulnerability Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) ...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-06-05 (Last update can be found below the document title) Description:Course Copy Exploit Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) Impact:Exp...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-05-08 (Last update can be found below the document title) Description:SQL Sanitization Vulnerability Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) Imp...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-05-01 (Last update can be found below the document title) Description:Cross Account Login Creation Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) ...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-04-08 (Last update can be found below the document title) Description:Update on CVE-2014-0160 (aka "the heartbleed bug") Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical ...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-04-04 (Last update can be found below the document title) Description:Cross Account Enrollment Creation Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) ...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-03-11 (Last update can be found below the document title) Description:Arbitrary Enrollment Deletion Criticality Level:Moderately Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) ...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-03-03 (Last update can be found below the document title) Description:False Zip File Size Attack Criticality Level:Less Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) Impact:De...

jordan · 2015-09-22

SECURITY UPDATE Release Date:2014-02-14 (Last update can be found below the document title) Description:SAML XML Signature Wrapping Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) Impact...

Canvas Security Updates