3 results (0.012 seconds)

CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0

Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. • https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620 https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •

CVSS: 1.2EPSS: 0%CPEs: 1EXPL: 0

Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vulnerability in version 3.0.1 that can affect instructors and CAs on the grade submissions page. The issue is patched in version 3.0.2. One may apply the patch manually by editing line 589 on `gradesheet.js.erb` to take in feedback as text rather than html. • https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 0

Autolab is a course management service that enables auto-graded programming assignments. There is a vulnerability in version 3.0.1 where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. Version 3.0.2 contains a patch. No known workarounds are available. • https://github.com/autolab/Autolab/commit/96006d532a392eeca2d350d1811f8e8ab9625bda https://github.com/autolab/Autolab/security/advisories/GHSA-rjg4-cf66-x6gr • CWE-863: Incorrect Authorization •