Description
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm
Scores
CVSS v3
8.8
EPSS
0.0032
EPSS Percentile
55.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-287
CWE-863
Status
published
Products (2)
autolabproject/autolab
3.0.0
rubygems/Autolab
3.0.0 - 3.0.1RubyGems
Published
Oct 25, 2024
Tracked Since
Feb 18, 2026