Nicholas

**Name of the Vulnerable Software and Affected Versions** Autolab version 3.0.1 **Description** Autolab is a course management service that enables auto-graded programming assignments. There is an issue where CAs can view or edit the grade for any submission ID, even if they are not a CA for the class that has the submission. The endpoints only check that the CAs have the authorization level of a CA in the class in the endpoint, which is not necessarily the class the submission is attached to. **Recommendations** For Autolab version 3.0.1, update to version 3.0.2 to resolve the issue. As a temporary workaround, consider restricting access to the grade editing functionality for CAs to minimize the risk of exploitation.