Xttraa

**Nome do Software Vulnerável e Versões Afetadas** Versões do MarkUs anteriores à 2.9.1 **Descrição** O MarkUs é uma aplicação web utilizada para o envio e correção de tarefas de alunos. Versões anteriores à 2.9.1 estão suscetíveis a uma vulnerabilidade na qual a aplicação lê e renderiza o conteúdo de arquivos enviados por alunos sem a devida sanitização através da rota `courses/<:course id>/assignments/<:assignment id>/submissions/html content`. A rota vulnerável permite a execução de conteúdo HTML arbitrário. Os parâmetros `course id` e `assignment id` são utilizados no endpoint de API afetado. **Recomendações** Atualize para a versão 2.9.1 ou superior.

**Name of the Vulnerable Software and Affected Versions** MarkUs versions prior to 2.9.1 **Description** MarkUs is a web application used for submitting and grading student assignments. A flaw exists where the `select file id` parameter in the ''courses/<:course id>/assignments/<:assignment id>/submissions/html content'' endpoint was not properly restricted to the user making the request. This allowed users to access submission file contents by ID without authorization. The vulnerable parameter is `select file id`. **Recommendations** Upgrade to version 2.9.1 or later.

**Name of the Vulnerable Software and Affected Versions** MarkUs versions prior to 2.9.1 **Description** MarkUs is a web application used for submitting and grading student assignments. Prior to version 2.9.1, instructors could upload a zip file to create an assignment from an exported configuration via the `/courses/<:course id>/assignments/upload config files` API endpoint. The application does not properly validate the file names within the uploaded zip file before using them to create file paths, potentially allowing for malicious paths to be written to disk. **Recommendations** Update to version 2.9.1 or later.