{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-53260", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-11-19T20:08:14.480Z", "datePublished": "2024-11-27T21:28:33.896Z", "dateUpdated": "2024-11-29T18:10:01.006Z"}, "containers": {"cna": {"title": "Course Roster vulnerable to CSV Injection in Autolab", "problemTypes": [{"descriptions": [{"cweId": "CWE-1236", "lang": "en", "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g"}, {"name": "https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620", "tags": ["x_refsource_MISC"], "url": "https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620"}], "affected": [{"vendor": "autolab", "product": "Autolab", "versions": [{"version": "<= 3.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-27T21:28:33.896Z"}, "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-cqxx-pfmh-h43g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-53260", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-29T18:04:55.311080Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-29T18:10:01.006Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-53260", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-29T18:04:55.311080Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-29T18:04:57.875Z"}}], "cna": {"title": "Course Roster vulnerable to CSV Injection in Autolab", "source": {"advisory": "GHSA-cqxx-pfmh-h43g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "autolab", "product": "Autolab", "versions": [{"status": "affected", "version": "<= 3.0.2"}]}], "references": [{"url": "https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g", "name": "https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620", "name": "https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1236", "description": "CWE-1236: Improper Neutralization of Formula Elements in a CSV File"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-11-27T21:28:33.896Z"}}}, "cveMetadata": {"cveId": "CVE-2024-53260", "state": "PUBLISHED", "dateUpdated": "2024-11-29T18:10:01.006Z", "dateReserved": "2024-11-19T20:08:14.480Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-11-27T21:28:33.896Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:autolabproject:autolab:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB361D34-3375-41C6-B7E4-A5E6CFAE7116", "versionEndIncluding": "3.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Autolab is a course management service that enables auto-graded programming assignments. A user can modify their first and or last name to include a valid excel / spreadsheet formula. When an instructor downloads their course's roster and opens, this name will then be evaluated as a formula. This could lead to leakage of information of students in the course roster by sending the data to a remote endpoint. This issue has been patched in the source code repository and the fix is expected to be released in the next version. Users are advised to manually patch their systems or to wait for the next release. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Autolab es un servicio de gesti\u00f3n de cursos que permite la calificaci\u00f3n autom\u00e1tica de tareas de programaci\u00f3n. Un usuario puede modificar su nombre y apellido para incluir una f\u00f3rmula v\u00e1lida de Excel o de una hoja de c\u00e1lculo. Cuando un instructor descarga la lista de su curso y la abre, este nombre se evaluar\u00e1 como una f\u00f3rmula. Esto podr\u00eda provocar una fuga de informaci\u00f3n de los estudiantes en la lista del curso al enviar los datos a un punto final remoto. Este problema se ha corregido en el repositorio de c\u00f3digo fuente y se espera que la soluci\u00f3n se publique en la pr\u00f3xima versi\u00f3n. Se recomienda a los usuarios que apliquen manualmente el parche a sus sistemas o que esperen a la pr\u00f3xima versi\u00f3n. No se conocen workarounds para esta vulnerabilidad."}], "id": "CVE-2024-53260", "lastModified": "2025-04-21T15:07:22.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-11-27T22:15:05.353", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/autolab/Autolab/commit/fe44b53815d37c63e751032205b692ccd5737620"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/autolab/Autolab/security/advisories/GHSA-cqxx-pfmh-h43g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1236"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}