CVE-2024-52585
1.2
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U
Summary
Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vulnerability in version 3.0.1 that can affect instructors and CAs on the grade submissions page. The issue is patched in version 3.0.2. One may apply the patch manually by editing line 589 on gradesheet.js.erb to take in feedback as text rather than html.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| autolab | Autolab | = 3.0.1 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2
- https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.