AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2024-52585: Autolab is a course management service that enables auto-graded programming assignments. There is an HTML injection vuln

mediumvulnerability

security

Source: NVD/CVE DatabaseNovember 18, 2024CVE-2024-52585

Summary

Autolab, a service that manages programming courses and automatically grades assignments, has an HTML injection vulnerability (a flaw where untrusted data is inserted as HTML, potentially allowing attackers to inject malicious code) in version 3.0.1 that affects instructors and course assistants viewing grade submissions. The vulnerability allows attackers to execute cross-site scripting (XSS, where malicious scripts run in a user's browser without their knowledge).

Solution / Mitigation

Update to version 3.0.2, which patches the vulnerability. Alternatively, manually edit line 589 in the file `gradesheet.js.erb` to treat feedback as plain text rather than HTML code.

Vulnerability Details

CVSS Score

5.4(medium)

EPSS (30-day exploit probability)

EPSS: 0.5%

Classification

Attack SophisticationTrivial

Taxonomy References

CWE (Weakness Type)

CWE-79

CAPEC (Attack Pattern)

CAPEC-198 CAPEC-86

Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-52585

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 95%