CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53260 – Course Roster vulnerable to CSV Injection in Autolab
https://notcve.org/view.php?id=CVE-2024-53260
Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. • https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620 https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53258 – download_all_submissions allows student to download another student's submissions in Autolab
https://notcve.org/view.php?id=CVE-2024-53258
Autolab is a course management service that enables auto-graded programming assignments. From Autolab versions v.3.0.0 onward students can download all assignments from another student, as long as they are logged in, using the download_all_submissions feature. This can allow for leakage of submissions to unauthorized users, such as downloading submissions from other students in the class, or even instructor test submissions, given they know their user IDs. This issue has been patched in commit `1aa4c769` which is not yet in a release version, but is expected to be included in version 3.0.3. Users are advised to either manually patch or to wait for version 3.0.3. • https://github.com/autolab/Autolab/commit/1aa4c7690892fb458d2c61ff86739f368e34769d https://github.com/autolab/Autolab/security/advisories/GHSA-84qc-7773-2gg3 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 1.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52585 – Autolab has HTML Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-52585
Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vulnerability in version 3.0.1 that can affect instructors and CAs on the grade submissions page. The issue is patched in version 3.0.2. One may apply the patch manually by editing line 589 on `gradesheet.js.erb` to take in feedback as text rather than html. • https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52584 – Autolab has vulnerable submission endpoints
https://notcve.org/view.php?id=CVE-2024-52584
Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available. • https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr • CWE-863: Incorrect Authorization •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49376 – Autolab Has Misconfigured Reset Password Permissions
https://notcve.org/view.php?id=CVE-2024-49376
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist. • https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm • CWE-287: Improper Authentication •