Cross Site Request Forgery in Release all grades feature in autolab/autolab


Reported on

Apr 24th 2022


Hi there, there is a Cross site request Forgery in your Release all grades feature. This is due to the release all grades action is using GET request method. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application.

Proof of Concept

  1. Install autolab and log in as admin
  2. Access the link /courses/<course-name>/assessments/<assessment-name>/releaseAllGrades
  3. See that all grade are released




We are processing your report and will contact the autolab team within 24 hours. a year ago
We have contacted a member of the autolab team and are waiting to hear back a year ago
autolab/autolab maintainer
a year ago


We have seen your report and are able to reproduce the behavior that can cause the CSRF. We are working on a fix and will get back on we have it ready to go!

We have sent a follow up to the autolab team. We will try again in 7 days. a year ago
autolab/autolab maintainer modified the Severity from Critical (9.3) to High (8.2) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
autolab/autolab maintainer validated this vulnerability a year ago
justinp09010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joey Wildman marked this as fixed in 2.8.0 with commit a5fa31 a year ago
Joey Wildman has been awarded the fix bounty
This vulnerability will not receive a CVE
routes.rb#L143 has been validated
Joey Wildman
a year ago


CSRF vulnerability fixed by changing request type from GET to POST and adding rails CSRF protection via protect_from_forgery:

to join this conversation