SECURITY UPDATE |  |
| Release Date: | 2017-02-07 |
| Description: | MathML Stored XSS |
| Criticality Level: | Moderately Critical |
| Impact: | Cross Site Scripting / Potential Exposure of Sensitive Data |
| Systems Affected: | Canvas LMS |
| Solution Status: | Patched |
| Discovered By: | Fyoorer, as part of a bugcrowd audit |
| Relevant Changesets: | prevent storing scripts in mathml href tags · instructure/canvas-lms@5f3a8938c6 · GitHub |
Summary:
An external security audit discovered a misconfigured whitelist for protocols allowed in href attributes for MathML tags (<math href=”...”>). This allowed a potential attacker to run javascript when a mathml tag was clicked in Safari or Firefox, where MathML is supported.
Status:
All systems were patched as of 11:01 MT on 2/7/2017
