Arbitrary file upload in Markusproject Markus

CVE-2024-51499

MarkUs is a web application for the submission and grading of student assignments. In versions prior to 2.4.8, an arbitrary file write vulnerability accessible via the update_files method of the SubmissionsController allows authenticated u…

Vulnerability class: Unrestricted File Upload

EPSS: 0.023 (84.9th percentile) — read the EPSS interpretation.

Affected products

Markusproject Markus — versions < 2.4.8

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

https://github.com/MarkUsProject/Markus/security/advisories/GHSA-j95p-7936-f75w (x_refsource_CONFIRM)
https://github.com/MarkUsProject/Markus/pull/7026 (x_refsource_MISC)