CVE-2025-52585: 
F5 BIG-IP Virtual Edition (tier - best) vulnerability analysis and mitigation

Autolab, a course management service for auto-graded programming assignments, contains an HTML injection vulnerability in version 3.0.1 that affects instructors and Course Assistants (CAs) on the grade submissions page. The vulnerability was discovered and disclosed on November 18, 2024, and has been assigned identifier CVE-2024-52585 (NVD).

The vulnerability is classified as a Cross-site Scripting (CWE-79) issue. It has received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Additionally, under CVSS v4.0, it was assigned a score of 1.2 (Low) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U (NVD).

The vulnerability affects the grade submissions page where HTML injection could potentially allow manipulation of content displayed to instructors and CAs. This could lead to unauthorized modifications of how feedback is displayed in the system (GitHub Advisory).

The vulnerability has been patched in Autolab version 3.0.2. For those unable to update immediately, a manual fix is available by modifying line 589 in gradesheet.js.erb to process feedback as text rather than HTML. This change prevents the HTML injection vulnerability (GitHub Patch).