Markus
Monthly
Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).
Unrestricted zip file extraction in MarkUs prior to version 2.9.4 allows authenticated users to trigger denial of service through resource exhaustion by uploading specially crafted archives with excessive file counts or sizes. Instructors and students can exploit this during assignment configuration uploads or submission handling to consume server resources and impact system availability. No patch is currently available for affected installations.
MarkUs prior to version 2.9.1 fails to sanitize user-submitted file contents in the HTML rendering endpoint, allowing authenticated users with UI interaction to inject malicious scripts that execute in other users' browsers. An attacker can exploit this reflected cross-site scripting vulnerability to steal session tokens, modify grades, or perform actions on behalf of affected students and instructors. The vulnerability has been patched in version 2.9.1.
MarkUs grading platform prior to 2.9.1 has a path traversal enabling students to access other students' submissions or grading data.
Markus versions up to 2.9.1 is affected by authorization bypass through user-controlled key (CVSS 6.5).
MarkUs is a web application for the submission and grading of student assignments. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
MarkUs is a web application for the submission and grading of student assignments. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
MarkUs, a web application for the submission and grading of student assignments, is vulnerable to path traversal in versions prior to 2.4.8. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity.
Markus versions up to 2.9.4 is affected by improper restriction of recursive entity references in dtds (CVSS 4.9).
Unrestricted zip file extraction in MarkUs prior to version 2.9.4 allows authenticated users to trigger denial of service through resource exhaustion by uploading specially crafted archives with excessive file counts or sizes. Instructors and students can exploit this during assignment configuration uploads or submission handling to consume server resources and impact system availability. No patch is currently available for affected installations.
MarkUs prior to version 2.9.1 fails to sanitize user-submitted file contents in the HTML rendering endpoint, allowing authenticated users with UI interaction to inject malicious scripts that execute in other users' browsers. An attacker can exploit this reflected cross-site scripting vulnerability to steal session tokens, modify grades, or perform actions on behalf of affected students and instructors. The vulnerability has been patched in version 2.9.1.
MarkUs grading platform prior to 2.9.1 has a path traversal enabling students to access other students' submissions or grading data.
Markus versions up to 2.9.1 is affected by authorization bypass through user-controlled key (CVSS 6.5).
MarkUs is a web application for the submission and grading of student assignments. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
MarkUs is a web application for the submission and grading of student assignments. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
MarkUs, a web application for the submission and grading of student assignments, is vulnerable to path traversal in versions prior to 2.4.8. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity.