2019-01-31 Instructure Advisory IAC93485 - Multiple XSS Vulnerabilities in Canvas

mhillary
Community Novice
0
1803

    SECURITY UPDATE

Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2019-01-31
  Description:

Multiple XSS Vulnerabilities in Canvas

  Criticality Level:Highly Critical   ( Less Critical < Critical < Moderately Critical < Highly Critical )
  Impact:

Stored Cross Site Scripting / Potential Exposure of Sensitive Data

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

DDV_UA (BugCrowd Security Researcher)

  Relevant Changesets:

fix focus return on discussion page · instructure/canvas-lms@35c64f056e · GitHub

fix vdd_tooltip selector issue · instructure/canvas-lms@54cecb0252 · GitHub

Change elementToggler to use text · instructure/canvas-lms@d62b910d73 · GitHub

Disallow javascript urls in inline previews · instructure/canvas-lms@8e8f3358fc · GitHub

fix XSS attack with rubrics · instructure/canvas-lms@22986bb9c9 · GitHub

sanitize HTML content in eportfolio preview · instructure/canvas-lms@2328ab322a · GitHub

move graded rubrics url to js_env · instructure/canvas-lms@eb4024c724 · GitHub

Fix XSS in calander · instructure/canvas-lms@466afa70be · GitHub

ensure icon_url is valid when outputting external tool config · instructure/canvas-lms@e3991ea49c · ...

Don't get quiz details url from data attribute · instructure/canvas-lms@d6751093e5 · GitHub

sanitize tooltip content · instructure/canvas-lms@5105235fe3 · GitHub


Summary:

The following findings were recently identified by the talented security researchers supporting our ongoing bug bounty program hosted by BugCrowd:

1. XXS via ‘data-tooltip’ attribute

A security researcher discovered Canvas editors allow for data-tooltip attribute to be modified to execute a script when triggered.

2. XSS in Calendar via `data-mathml` attribute

A security researcher discovered the data-mathml attribute can be modified to execute a script when accessing a calendar event.

3. XSS in Discussions via `data-focus-returns-to` attribute

A security researcher discovered the data-focus-returns-to attribute can be modified to execute a script when accessing a discussion topic.

4. XSS in Assignments via `vdd_tooltip_link` attribute

A security researcher discovered the vdd_tooltip_link attribute can be modified, by only users having the ability to modify assignments, to execute a script when modifying an assignment.

5. XSS in Canvas editors when referencing an External App via icon_url element

A security researcher discovered the icon_url element included as part of referencing an an External App configuration can be modified to execute a script when opening any editor referencing the External App.

6. XSS in Canvas editors via data-html-while-target-shown attribute

A security researcher discovered the data-html-while-target-shown attribute can be modified to execute a script when when the associated link is clicked.

7. XSS in ePortfolios

A security researcher discovered, in ePortfolios, an element with a specific attribute can be used to execute a script when the associated button is clicked.

8. XSS in Canvas editors via a.file_preview_link

A security researcher discovered, in Canvas editors, the file_preview_link parameter can be used to execute a script when the associated link clicked.

9. XSS in Canvas Quizzes via data_url attribute

A security researcher discovered, in Canvas Quizzes, the data_url attribute can be modified (by only users having the ability to modify quizzes) to request and execute a script when accessing a quiz.

Status:

All systems were patched as of 8:57 MT on 1/31/2019.