Ruslan Armahov

**Name of the Vulnerable Software and Affected Versions** RELATE versions prior to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620 **Description** A stored cross-site scripting issue allows enrolled students to execute arbitrary JavaScript in an administrator's browser session, which could lead to a full admin account takeover. The `get user()` function in `ParticipationAdmin` uses `mark safe` with Python's % string formatting to render user-controlled input, bypassing Django's automatic HTML escaping. The values are derived from the `first name` and `last name` fields of the User model, which are editable by authenticated users via the '/profile/' endpoint without sanitization. The script executes when an administrator views the Participation list in the Django admin panel. **Recommendations** Update to commit 555f0efb1c5bd7531c07cd73724d7e566a81f620.