2014-04-04 Instructure Advisory IAC74086 - Cross Account Enrollments

jordan
Instructure Alumni
Instructure Alumni
0
657

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2014-04-04  (Last update can be found below the document title)
  Description:Cross Account Enrollment Creation
  Criticality Level:Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:Exposure of Sensitive Data
  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:Kira Lawrence, Carol Cobb
  Relevant Changesets:

enrollments API requires pseudonym on course's root account · instructure/canvas-lms@f0a17fe · GitHu...


Summary:

A bug in permissions checking could allow a malicious admin or teacher to enroll users in their course that they wouldn't normally be allowed to. This could allow access to basic user information.

Status:

Fixed in Canvas Cloud. Does not affect Canvas CV, as it is not multi-tenant.