CVE-2017-1000507
Description
Canvas 3.4.2 stored XSS vulnerability in User details allows arbitrary JavaScript execution via crafted display name.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Canvas 3.4.2 stored XSS vulnerability in User details allows arbitrary JavaScript execution via crafted display name.
Vulnerability
Canvas version 3.4.2 contains a stored Cross-Site Scripting (XSS) vulnerability in the User details feature, specifically the display name field. An attacker can inject arbitrary JavaScript code that is stored and later executed when an administrator views the user list [2][3].
Exploitation
An attacker must have a valid user account to change their own display name. By setting the display name to a malicious payload such as ``, the script is stored. When an administrator navigates to the user listing page, the payload executes in the admin's browser without requiring any further interaction [3].
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of an administrator's session. This can lead to session hijacking, defacement, or further compromise of the application. The vulnerability is classified as Stored XSS with high impact on confidentiality, integrity, and availability [2].
Mitigation
No official fix has been released for CVE-2017-1000507 as of the publication date. Users are advised to upgrade to a newer version if available, or implement input sanitization and output encoding for the display name field. The issue is tracked in the GitHub repository [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
austintoddj/canvasPackagist | <= 3.4.2 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-controllable display name is stored and later rendered in an admin user listing page without HTML encoding, enabling stored cross-site scripting."
Attack vector
An attacker with a valid user account sets their display name to a malicious payload such as `
Affected code
The vulnerability exists in the Canvas package (version 3.4.2) for Laravel. The user's display name field is stored and later rendered without HTML encoding when an admin views the user listing page [ref_id=2][ref_id=3]. No specific file or function is named in the reports, but the issue is in the view layer that outputs the display name.
What the fix does
The remediation recommended by the issue reporter is to HTML-encode the display name variable when it is printed in the user listing view [ref_id=2][ref_id=3]. No patch commit is included in the bundle, so the exact fix is not shown; however, applying proper output encoding (e.g., using Laravel's `{{ }}` syntax or `e()` helper) would neutralize the injected script tags and prevent XSS [CWE-79].
Preconditions
- authAttacker must have a valid user account on the Canvas application
- inputAn admin user must navigate to the user listing page after the attacker has saved the malicious display name
Reproduction
1. Log in with a valid user account. 2. Change the user's display name to `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-94hc-7qc9-34rfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000507ghsaADVISORY
- github.com/austintoddj/canvas/issues/359ghsaWEB
- github.com/cnvs/canvas/issues/359mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.