Donny-Wong

**Name of the Vulnerable Software and Affected Versions** MarkUs versions prior to 2.4.8 **Description** The issue is related to an arbitrary file write vulnerability in the update/upload/create file methods in Controllers, allowing authenticated instructors to write arbitrary files to any location on the web server, depending on the permissions of the underlying filesystem. This can lead to delayed remote code execution if an attacker can write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application. **Recommendations** For MarkUs versions prior to 2.4.8, upgrade to version 2.4.8 to address the issue. As a temporary workaround, consider restricting access to the update/upload/create file methods in Controllers to minimize the risk of exploitation. Avoid using the vulnerable file upload functionality until the issue is resolved.