2019-07-11 Instructure Advisory IAC26892 - MathJax XSS Vulnerability

Community Member
1 0 834


Canvas + Logo transparent (WHITE)- 300px.png

  Release Date:2019-07-11

MathJax XSS Vulnerability

  Criticality Level:Highly Critical   ( Less Critical < Critical < Moderately Critical < Highly Critical )

XSS (Cross Site Scripting)

  Systems Affected:Canvas LMS
  Solution Status:Patched
  Discovered By:

Pull request to instructure/canvas-lms · GitHub

  Relevant Changesets:

Fix critical MathJax XSS Vulnerability · instructure/canvas-lms@148fe06 · GitHub 


An XSS (Cross Site Scripting) vulnerability was publicly disclosed via a Pull Request to instructure/canvas-lms on GitHub. The vulnerability is due to a version of the MathJax dependency used in a Canvas component, which allows an attacker to use JavaScript to exploit this vulnerability via Canvas' Rich Text Editor.


All systems were patched as of 11:11 AM MT on 7/11/2019.