CVE-2024-53260

Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620	Patch
https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-11-27 22:15

Updated : 2025-04-21 15:07

NVD link : CVE-2024-53260

Mitre link : CVE-2024-53260

CVE.ORG link : CVE-2024-53260

JSON object : View

Products Affected

autolabproject

autolab

CWE

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

{"id": "CVE-2024-53260", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 2.3}]}, "published": "2024-11-27T22:15:05.353", "references": [{"url": "https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-1236"}]}], "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Autolab es un servicio de gesti\u00f3n de cursos que permite la calificaci\u00f3n autom\u00e1tica de tareas de programaci\u00f3n. Un usuario puede modificar su nombre y apellido para incluir una f\u00f3rmula v\u00e1lida de Excel o de una hoja de c\u00e1lculo. Cuando un instructor descarga la lista de su curso y la abre, este nombre se evaluar\u00e1 como una f\u00f3rmula. Esto podr\u00eda provocar una fuga de informaci\u00f3n de los estudiantes en la lista del curso al enviar los datos a un punto final remoto. Este problema se ha corregido en el repositorio de c\u00f3digo fuente y se espera que la soluci\u00f3n se publique en la pr\u00f3xima versi\u00f3n. Se recomienda a los usuarios que apliquen manualmente el parche a sus sistemas o que esperen a la pr\u00f3xima versi\u00f3n. No se conocen workarounds para esta vulnerabilidad."}], "lastModified": "2025-04-21T15:07:22.850", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB361D34-3375-41C6-B7E4-A5E6CFAE7116", "versionEndIncluding": "3.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}