A critical path traversal vulnerability in MarkUs allows authenticated instructors to write arbitrary files to the server, potentially leading to a full system takeover.

The application fails to validate entry names within uploaded ZIP files during assignment configuration. An authenticated instructor can use crafted filenames (e.g., using ../ sequences) to write files to any location on the server disk that the web application has permission to access.

With a CVSS score of 9.1, the impact is severe. An attacker could overwrite critical system files or upload a web shell to achieve Remote Code Execution (RCE). This could lead to the theft of student data, modification of grades, or complete loss of the grading platform's availability.

Immediate Action: Upgrade MarkUs to version 2.9.1 or higher immediately to enable proper path validation during ZIP extraction.

Proactive Monitoring: Inspect the web server's file system for unexpected files in directories outside of the intended "courses" upload path.

Compensating Controls: Run the web application with the least privilege possible to limit the directory scope an attacker could write to, and use file integrity monitoring (FIM) tools.

Public Exploit Available: false

The ability for a user to write arbitrary files to a server is a critical security failure. Administrators should update the MarkUs application immediately and verify that the file system permissions for the application user are strictly limited.