CVE-2024-51499

Name of the Vulnerable Software and Affected Versions MarkUs versions prior to 2.4.8

Description MarkUs is a web application for the submission and grading of student assignments. An arbitrary file write vulnerability accessible via the update files method of the SubmissionsController allows authenticated users to write arbitrary files to any location on the web server, depending on the permissions of the underlying filesystem. This can lead to delayed remote code execution if an attacker is able to write a Ruby file into the config/initializers/ subfolder of the Ruby on Rails application.

Recommendations For versions prior to 2.4.8, upgrade to MarkUs version 2.4.8 to address this issue. As a temporary workaround, consider restricting access to the SubmissionsController and its update files method to minimize the risk of exploitation.