Vulnerability-Lookup

CVE-2026-24900 (GCVE-0-2026-24900)

Vulnerability from cvelistv5 – Published: 2026-02-09 18:39 – Updated: 2026-02-10 16:01

Title

MarkUs has a submission-view IDOR exposes all student submissions

Summary

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

URL

Tags

	https://github.com/MarkUsProject/Markus/security/…	x_refsource_CONFIRM
	https://github.com/MarkUsProject/Markus/commit/7d…	x_refsource_MISC
	https://github.com/MarkUsProject/Markus/releases/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	MarkUsProject	Markus	Affected: < 2.9.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24900",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-10T15:30:26.838188Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-10T16:01:21.289Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Markus",
          "vendor": "MarkUsProject",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.9.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/\u003c:course_id\u003e/assignments/\u003c:assignment_id\u003e/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-09T18:39:52.161Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88"
        },
        {
          "name": "https://github.com/MarkUsProject/Markus/commit/7daed9fd2d44932223798d997b55094a3bff104b",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MarkUsProject/Markus/commit/7daed9fd2d44932223798d997b55094a3bff104b"
        },
        {
          "name": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1"
        }
      ],
      "source": {
        "advisory": "GHSA-56gh-8hmq-7q88",
        "discovery": "UNKNOWN"
      },
      "title": "MarkUs has a submission-view IDOR exposes all student submissions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-24900",
    "datePublished": "2026-02-09T18:39:52.161Z",
    "dateReserved": "2026-01-27T19:35:20.529Z",
    "dateUpdated": "2026-02-10T16:01:21.289Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-24900\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-09T20:15:56.387\",\"lastModified\":\"2026-02-19T20:08:14.250\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/\u003c:course_id\u003e/assignments/\u003c:assignment_id\u003e/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.\"},{\"lang\":\"es\",\"value\":\"MarkUs es una aplicaci\u00f3n web para la entrega y calificaci\u00f3n de tareas de estudiantes. Antes de 2.9.1, la ruta courses/\u0026lt;:course_id\u0026gt;/assignments/\u0026lt;:assignment_id\u0026gt;/submissions/html_content aceptaba un par\u00e1metro select_file_id para servir objetos SubmissionFile que conten\u00edan un registro de los archivos entregados por los estudiantes. Este par\u00e1metro no estaba correctamente acotado al usuario solicitante, permitiendo a los usuarios acceder a contenidos arbitrarios de archivos de entrega por ID. Esta vulnerabilidad est\u00e1 corregida en 2.9.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:markusproject:markus:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.9.1\",\"matchCriteriaId\":\"2D6B2B7B-F46C-4CEE-86D4-B25D3746747A\"}]}]}],\"references\":[{\"url\":\"https://github.com/MarkUsProject/Markus/commit/7daed9fd2d44932223798d997b55094a3bff104b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24900\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-10T15:30:26.838188Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-10T15:30:27.490Z\"}}], \"cna\": {\"title\": \"MarkUs has a submission-view IDOR exposes all student submissions\", \"source\": {\"advisory\": \"GHSA-56gh-8hmq-7q88\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"MarkUsProject\", \"product\": \"Markus\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.9.1\"}]}], \"references\": [{\"url\": \"https://github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88\", \"name\": \"https://github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/MarkUsProject/Markus/commit/7daed9fd2d44932223798d997b55094a3bff104b\", \"name\": \"https://github.com/MarkUsProject/Markus/commit/7daed9fd2d44932223798d997b55094a3bff104b\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1\", \"name\": \"https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/\u003c:course_id\u003e/assignments/\u003c:assignment_id\u003e/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-09T18:39:52.161Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-24900\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-10T16:01:21.289Z\", \"dateReserved\": \"2026-01-27T19:35:20.529Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-09T18:39:52.161Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-24900

Vulnerability from fkie_nvd - Published: 2026-02-09 20:15 - Updated: 2026-02-19 20:08

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N