CVE-2024-52585

Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vulnerability in version 3.0.1 that can affect instructors and CAs on the grade submissions page. The issue is patched in version 3.0.2. One may apply the patch manually by editing line 589 on `gradesheet.js.erb` to take in feedback as text rather than html.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c	Patch
https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:autolabproject:autolab:3.0.1:*:*:*:*:*:*:*

History

21 Jan 2025, 17:56

Type	Values Removed	Values Added
First Time		Autolabproject Autolabproject autolab
CPE		cpe:2.3:a:autolabproject:autolab:3.0.1:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
References	~~() https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c -~~	() https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c - Patch
References	~~() https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2 -~~	() https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2 - Vendor Advisory

Information

Published : 2024-11-18 21:15

Updated : 2025-01-21 17:56

NVD link : CVE-2024-52585

Mitre link : CVE-2024-52585

CVE.ORG link : CVE-2024-52585

JSON object : View

Products Affected

autolabproject

autolab

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2024-52585", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"safety": "NOT_DEFINED", "version": "4.0", "recovery": "NOT_DEFINED", "baseScore": 1.2, "automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "modifiedAttackVector": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subsequentSystemIntegrity": "LOW", "vulnerableSystemIntegrity": "NONE", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "confidentialityRequirements": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "vulnerableSystemAvailability": "NONE", "subsequentSystemConfidentiality": "LOW", "vulnerableSystemConfidentiality": "NONE", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED"}}]}, "published": "2024-11-18T21:15:07.183", "references": [{"url": "https://github.com/autolab/Autolab/commit/2429983b6caa245fea1b37f0dc236ccbcad9554c", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-8qhp-jhhw-45r2", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vulnerability in version 3.0.1 that can affect instructors and CAs on the grade submissions page. The issue is patched in version 3.0.2. One may apply the patch manually by editing line 589 on `gradesheet.js.erb` to take in feedback as text rather than html."}, {"lang": "es", "value": "Autolab es un servicio de gesti\u00f3n de cursos que permite la calificaci\u00f3n autom\u00e1tica de tareas de programaci\u00f3n. Existe una vulnerabilidad de inyecci\u00f3n de HTML en la versi\u00f3n 3.0.1 que puede afectar a los instructores y a los CA en la p\u00e1gina de env\u00edo de calificaciones. El problema se solucion\u00f3 en la versi\u00f3n 3.0.2. Se puede aplicar el parche manualmente editando la l\u00ednea 589 en `gradesheet.js.erb` para que los comentarios se tomen como texto en lugar de HTML."}], "lastModified": "2025-01-21T17:56:12.597", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:autolabproject:autolab:3.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7DE5B67-FBCC-47C8-B03B-40B45F66A5B9"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}