How a student account could view other students' submissions, trigger XSS in the grading flow, act as an instructor, and turn a zip upload bug into server takeover.
