CVE-2021-36539

Published January 26th, 2023

View on NVD ↗

CVSS v3

6.5

MEDIUM

CVSS v2

N/A

Affected

PROJECTS

Description

Instructure Canvas LMS didn't properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url).

instructure/canvas-lms

The open LMS by Instructure, Inc.

GitHub

6.67K

gaukas/instructure-canvas-file-oracle

Gain access to any uploaded files in your class via DocViewer using an exploitation in Canvas API v1.

GitHub