PT-2023-12286 · Instructure · Instructure Canvas Lms

Gaukas

Publicado

2023-01-26

Atualizado

2024-01-31

CVE-2021-36539

CVSS v3.1

6.5

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Instructure Canvas LMS (affected versions not specified)

Description The issue concerns improper access control in Instructure Canvas LMS, where unprivileged users can access locked or unpublished files through the DocViewer based file preview URL, referred to as canvadoc session url. This allows unauthorized access to sensitive information.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

IDOR

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-639

Identificadores relacionados

BIT-CANVASLMS-2021-36539

CVE-2021-36539

Produtos afetados

Instructure Canvas Lms

PT-2023-12286 · Instructure · Instructure Canvas Lms

CVE-2021-36539

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 7