A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token...
6.1CVSS
6AI Score
0.001EPSS
An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are...
7.5CVSS
7.5AI Score
0.006EPSS
A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted...
6.1CVSS
6.2AI Score
0.001EPSS
Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to...
8.8CVSS
7.3AI Score
0.011EPSS
confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login...
9.8CVSS
7.7AI Score
0.011EPSS
In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution.....
9.8CVSS
8.6AI Score
0.016EPSS
ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher)...
8.8CVSS
8.8AI Score
0.784EPSS
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for.....
8.8CVSS
9AI Score
0.013EPSS
An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase...
8.8CVSS
7.7AI Score
0.008EPSS
A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to...
6.1CVSS
6.6AI Score
0.001EPSS
5.4CVSS
6.4AI Score
0.001EPSS
Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable...
5.4CVSS
6.2AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h...
6.1CVSS
5.8AI Score
0.005EPSS
Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal...
7.5CVSS
7.5AI Score
0.001EPSS
ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal vulnerability in the Course Icon component resulting in...
9.8CVSS
7.5AI Score
0.008EPSS
ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component...
9.8CVSS
7.3AI Score
0.008EPSS
ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend...
9.8CVSS
8.6AI Score
0.007EPSS
SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to...
9.8CVSS
8.6AI Score
0.82EPSS
Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2.2.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (lang_code in themes/*/admin/system_preferences/language_edit.tmpl.php). An attacker could execute arbitrary HTML and...
6.1CVSS
6.6AI Score
0.001EPSS
Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip...
8.8CVSS
9.1AI Score
0.003EPSS
Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary PHP code via the (1) asc or (2) desc...
7.8AI Score
0.013EPSS
Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a direct request to the...
7.4AI Score
0.004EPSS
Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title parameter in an add_forum action. NOTE: the original disclosure also reported issues that may not...
5.9AI Score
0.001EPSS
Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 2.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) themes/default/tile_search/index.tmpl.php, (2) login.php, (3) search.php, (4) password_reminder.php, (5) login.php/jscripts/infusion, (6).....
5.9AI Score
0.007EPSS
ATutor 2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by users/tool_settings.inc.php and certain other...
6.9AI Score
0.003EPSS
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in...
6AI Score
0.004EPSS
PHP remote file inclusion vulnerability in tools/packages/import.php in ATutor 1.6.1 pl1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via a URL in the type...
7.9AI Score
0.03EPSS
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in (a) forum post or (b) mail; or (2) the website field of the...
6.3AI Score
0.002EPSS
Multiple SQL injection vulnerabilities in ATutor 1.5.3.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. NOTE: CVE analysis suggests that the vendor fixed these...
8.9AI Score
0.002EPSS
Multiple PHP remote file inclusion vulnerabilities in ATutor 1.5.3.2 allow remote attackers to execute arbitrary PHP code via a URL in the (1) section parameter in (a) documentation/common/frame_toc.php and (b) documentation/common/search.php, the (2) req_lang parameter in...
7.7AI Score
0.012EPSS
SQL injection vulnerability in links/index.php in ATutor 1.5.3.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the (1) desc or (2) asc...
8.8AI Score
0.028EPSS
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) lang parameter in (a) index_list.php and (2) year, (3) month, and (4) day parameter in (b)...
6.3AI Score
0.012EPSS
SQL injection vulnerability in index.php in ATutor 1.5.3 allows remote attackers to execute arbitrary SQL commands via the fid parameter. NOTE: this issue has been disputed by the vendor, who states "The mentioned SQL injection vulnerability is not possible." However, the relevant source code...
9.4AI Score
0.008EPSS
Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) show_courses or (2) current_cat parameters to (a) admin/create_course.php, show_courses parameter to (b) users/create_course.php, (3) p parameter to.....
6.3AI Score
0.015EPSS
registration.PHP in ATutor 1.5.1 pl2 allows remote attackers to execute arbitrary SQL commands via an e-mail address that ends in a NULL character, which bypasses the PHP regular expression check. NOTE: it is possible that this is actually a bug in PHP code, in which case this should not be...
9AI Score
0.048EPSS
Multiple PHP file inclusion vulnerabilities in ATutor 1.4.1 through 1.5.1-pl1 allow remote attackers to include arbitrary files via the section parameter followed by a null byte (%00) in (1) body_header.inc.php and (2)...
7.2AI Score
0.106EPSS
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.1 through 1.5.1-pl1 allow remote attackers to inject arbitrary web script or HTML via (1) the _base_href parameter in translate.php, (2) the _base_path parameter in news.inc.php, and (3) the p parameter in...
5.9AI Score
0.009EPSS
config.inc.php in ATutor 1.5.1, and possibly earlier versions, uses an incomplete blacklist to check for dangerous file extensions, which allows authenticated administrators or educators to execute arbitrary code by uploading files with other executable extensions such as .inc, .php4, or...
7.7AI Score
0.0005EPSS
SQL injection vulnerability in password_reminder.php in ATutor before 1.5.1 pl1 allows remote attackers to execute arbitrary SQL commands via the email...
8.6AI Score
0.015EPSS
ATutor 1.5.1, and possibly earlier versions, stores temporary chat logs under the web document root with insufficient access control and predictable filenames, which allows remote attackers to obtain user chat conversations via direct requests to those...
7AI Score
0.021EPSS
Cross-site scripting (XSS) vulnerability in ATutor 1.5.1 allows remote attackers to inject arbitrary web script or HTML via (1) course parameter in login.php or (2) words parameter in...
5.8AI Score
0.004EPSS
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.3 and 1.5 RC 1 allow remote attackers to inject arbitrary web script or HTML via the (1) show_course parameter to browse.php, (2) subject parameter to contact.php, (3) cid parameter to content.php, (4) l parameter to...
6.3AI Score
0.006EPSS