SECURITY UPDATE |  |
| Release Date: | 2019-02-14 |
| Description: | ePortfolio Export Vulnerability |
| Criticality Level: | Highly Critical ( Less Critical < Critical < Moderately Critical < Highly Critical ) |
| Impact: | Broken Access Control (BAC) / Insecure Direct Object References (IDOR) |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Defektive (Security Researcher) |
| Relevant Changesets: |
Summary:
A security researcher supporting our ongoing bug bounty program hosted by BugCrowd identified a vulnerability in ePortfolios, which allowed an authenticated user to access files not owned by the user as part of an ePortfolio export.
Status:
All systems were patched as of 8:17 PM MT on 2/11/2019.
