2017-02-07 Instructure Advisory IAC20604 - MathML Stored XSS

wbillings
Instructure
Instructure
0
1030

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2017-02-07
  Description:

MathML Stored XSS

  Criticality Level:Moderately Critical
  Impact:

Cross Site Scripting / Potential Exposure of Sensitive Data

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Fyoorer, as part of a bugcrowd audit

  Relevant Changesets:

prevent storing scripts in mathml href tags · instructure/canvas-lms@5f3a8938c6 · GitHub


Summary:

An external security audit discovered a misconfigured whitelist for protocols allowed in href attributes for MathML tags (<math href=”...”>). This allowed a potential attacker to run javascript when a mathml tag was clicked in Safari or Firefox, where MathML is supported.

Status:

              All systems were patched as of 11:01 MT on 2/7/2017