This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: MarkUs < v2.9.1 has a **Path Traversal** flaw. π₯ **Consequence**: Attackers can achieve **Arbitrary File Write**. This breaks integrity and availability of the system.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: **CWE-23** (Relative Path Traversal). The app fails to **validate file paths** properly before writing. π« No sanitization on user input.
Q3Who is affected? (Versions/Components)
π― **Affected**: **MarkUs** (Ruby on Rails + React). π **Version**: All versions **before 2.9.1**. π« Used for student assignment submission/grading.
Q4What can hackers do? (Privileges/Data)
π **Impact**: **Full Control** over file system writes. π Can overwrite critical config files or inject malicious scripts. π **CVSS**: High (C:H, I:H, A:H).
Q5Is exploitation threshold high? (Auth/Config)
π **Threshold**: **Medium**. Requires **PR:H** (High Privileges). π€ Attacker needs valid credentials. π« Not fully open to anonymous public.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π§ͺ **Exploit**: **No Public PoC** listed in data. π΅οΈββοΈ However, the flaw is logical (Path Traversal), making it **easily exploitable** by skilled hackers.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for **MarkUs** instances. π Look for file upload/processing endpoints. π§ͺ Test if relative paths (e.g., `../../`) bypass restrictions.
Q8Is it fixed officially? (Patch/Mitigation)
β **Fixed**: Yes! **v2.9.1** is the safe version. π₯ Update immediately. π See GitHub Advisory GHSA-mccg-p332-252h.
Q9What if no patch? (Workaround)
π **No Patch?**: Implement **Input Validation** on file paths. π« Reject `..` sequences. π‘οΈ Use **Chroot** or strict sandboxing for uploads.
Q10Is it urgent? (Priority Suggestion)
β‘ **Urgency**: **HIGH**. π Published Feb 2026. π Academic systems are high-value targets. πββοΈ Patch NOW to prevent data corruption.