MarkUs is a web application for the submission and grading of student assignments. Prior to version 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>…

MarkUs, a web application for submission and grading of student assignments, contains a cross-site scripting (XSS) vulnerability in versions prior to 2.9.1. The vulnerability exists in the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content route which reads and renders student-submitted file contents without proper sanitization. This allows malicious content in student submissions to be executed in the browser. The issue has been patched in version 2.9.1 with proper input sanitization implemented.