MarkUs Stored Cross-Site Scripting Vulnerability in Submissions HTML Content Route

A stored cross-site scripting vulnerability has been identified in MarkUs versions prior to 2.9.1. The issue arises in the 'courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content' route, which processes and displays student-submitted files without proper sanitization. This flaw allows malicious JavaScript to be executed with elevated privileges when viewed by instructors or graders. Although the route is primarily used for rendering Jupyter notebooks and RMarkdown files, the lack of sanitization in the RMarkdown conversion poses a significant risk. The vulnerability can also be exploited by crafting a specific URL that includes a maliciously designed file.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where injected scripts are executed in the context of the user viewing the submission, potentially with elevated permissions.

Reproduction

To reproduce this vulnerability, upload a file containing malicious JavaScript to an assignment that uses the 'html_content' submission route. Ensure that the assignment is configured to allow the upload of untrusted files, such as those with a '.js' extension. After uploading, the injected script will execute when an instructor or grader views the submission through the 'html_content' route.

Remediation

Users are advised to upgrade to MarkUs version 2.9.1 or later, where this vulnerability has been patched by removing the insecure 'html_content' route and implementing content security policies that prevent the execution of embedded scripts in RMarkdown files.