Markus
CVE-2024-47820
LOW
Severity by source
AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
MarkUs, a web application for the submission and grading of student assignments, is vulnerable to path traversal in versions prior to 2.4.8. Authenticated instructors may download any file on the web server MarkUs is running on, depending on the file permissions. MarkUs v2.4.8 has addressed this issue. No known workarounds are available at the application level aside from upgrading.
AnalysisAI
MarkUs, a web application for the submission and grading of student assignments, is vulnerable to path traversal in versions prior to 2.4.8. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity.
Technical ContextAI
This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. MarkUs, a web application for the submission and grading of student assignments, is vulnerable to path traversal in versions prior to 2.4.8. Authenticated instructors may download any file on the web server MarkUs is running on, depending on the file permissions. MarkUs v2.4.8 has addressed this issue. No known workarounds are available at the application level aside from upgrading. Affected products include: Markusproject Markus. Version information: prior to 2.4.8..
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.
MarkUs grading platform prior to 2.9.1 has a path traversal enabling students to access other students' submissions or g
MarkUs prior to version 2.9.1 fails to sanitize user-submitted file contents in the HTML rendering endpoint, allowing au
MarkUs is a web application for the submission and grading of student assignments. Rated high severity (CVSS 7.1), this
MarkUs is a web application for the submission and grading of student assignments. Rated high severity (CVSS 7.1), this
Unrestricted zip file extraction in MarkUs prior to version 2.9.4 allows authenticated users to trigger denial of servic
Markus versions up to 2.9.1 is affected by authorization bypass through user-controlled key (CVSS 6.5).
Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today