20Wildmanj

**Name of the Vulnerable Software and Affected Versions** Autolab (affected versions not specified) **Description** Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens it, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. **Recommendations** To resolve the issue, users are advised to manually patch their systems or to wait for the next release. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Autolab versions 3.0.0 through 3.0.2 **Description** Autolab is a course management service that enables auto-graded programming assignments. The issue allows students to download all assignments from another student, as long as they are logged in, using the `download all submissions` feature. This can lead to leakage of submissions to unauthorized users, such as downloading submissions from other students in the class, or even instructor test submissions, given they know their `user IDs`. **Recommendations** For Autolab versions 3.0.0 through 3.0.2, users are advised to either manually patch with commit `1aa4c769` or wait for version 3.0.3. As a temporary workaround, administrators can disable the `download all submissions` feature to minimize the risk of exploitation.