130 matches found
CVE-2026-28405 MarkUs: Stored XSS in Submission HTML Preview Enables Instructor-Context Actions
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses//assignments//submissions/htmlcontent route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1...
CVE-2026-28405
MarkUs (web-based submission and grading system) is affected by CVE-2026-28405 through the submissions/html_content route, where content from a student-submitted file is rendered without sanitization prior to version 2.9.1. The root cause is lack of input sanitization in how submitted files are r...
CVE-2026-28405 MarkUs: Stored XSS in Submission HTML Preview Enables Instructor-Context Actions
MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses//assignments//submissions/htmlcontent route reads the contents of a student-submitted file and renders them without sanitization. This issue has been patched in version 2.9.1...
MarkUs 跨站脚本漏洞
MarkUs is an open-source Ruby on Rails and React web application used for submitting and grading student assignments. Versions of MarkUs prior to 2.9.1 had a cross-site scripting vulnerability, which stemmed from failing to properly clean up when reading and rendering the content of student...
PT-2026-23504
Name of the Vulnerable Software and Affected Versions MarkUs versions prior to 2.9.1 Description MarkUs is a web application used for submitting and grading student assignments. Versions prior to 2.9.1 are susceptible to an issue where the application reads and renders the contents of...
CVE-2026-25057
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration courses//assignments/uploadconfigfiles. The uploaded zip file entry names are used to create paths to...
CVE-2026-24900
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses//assignments//submissions/htmlcontent accepted a selectfileid parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correct...
CVE-2026-24900
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses//assignments//submissions/htmlcontent accepted a selectfileid parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correct...
CVE-2026-25057
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration courses//assignments/uploadconfigfiles. The uploaded zip file entry names are used to create paths to...
CVE-2026-25057 Zip Slip in MarkUs config upload allowing RCE
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration courses//assignments/uploadconfigfiles. The uploaded zip file entry names are used to create paths to...
CVE-2026-25057
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration courses//assignments/uploadconfigfiles. The uploaded zip file entry names are used to create paths to...
CVE-2026-25057 Zip Slip in MarkUs config upload allowing RCE
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration courses//assignments/uploadconfigfiles. The uploaded zip file entry names are used to create paths to...
CVE-2026-25057
CVE-2026-25057 affects MarkUs prior to version 2.9.1. Instructors can upload a zip file to create an assignment from an exported configuration, and the zip entry names are used to construct paths for writing files to disk without validating those paths. This can allow arbitrary path usage during ...
CVE-2026-25057 Zip Slip in MarkUs config upload allowing RCE
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, instructors are able to upload a zip file to create an assignment from an exported configuration courses//assignments/uploadconfigfiles. The uploaded zip file entry names are used to create paths to...
CVE-2026-24900 MarkUs has a submission-view IDOR exposes all student submissions
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses//assignments//submissions/htmlcontent accepted a selectfileid parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correct...
CVE-2026-24900 MarkUs has a submission-view IDOR exposes all student submissions
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses//assignments//submissions/htmlcontent accepted a selectfileid parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correct...
CVE-2026-24900
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses//assignments//submissions/htmlcontent accepted a selectfileid parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correct...
CVE-2026-24900
An active vulnerability in MarkUs prior to version 2.9.1: the submissions/html_content endpoint accepts a select_file_id parameter that is not properly scoped to the requesting user, allowing access to arbitrary submission file contents by id. Impact is confidentiality (HIGH) without integrity/av...
CVE-2026-24900 MarkUs has a submission-view IDOR exposes all student submissions
MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses//assignments//submissions/htmlcontent accepted a selectfileid parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correct...
PT-2026-7132
Name of the Vulnerable Software and Affected Versions MarkUs versions prior to 2.9.1 Description MarkUs is a web application used for submitting and grading student assignments. Prior to version 2.9.1, instructors could upload a zip file to create an assignment from an exported configuration via...