CVE-2021-36539 Information

Description

Instructure Canvas LMS didn’t properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url).

Reference

https://github.com/instructure/canvas-lms/issues/1905 Instructure Canvas LMS didn’t properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url).