14 matches found
CVE-2005-2956
ATutor 1.5.1 (and possibly earlier) stores temporary chat logs under the web document root with insufficient access control and predictable filenames, allowing remote attackers to obtain user chat conversations via direct requests to those files. This CVE entry contains the core detail; no exploi...
CVE-2006-5734
The CVE-2006-5734 entry describes multiple PHP remote file inclusion vulnerabilities in ATutor 1.5.3.2, exploitable via untrusted URLs passed to specific parameters (1) section in documentation/common/frame_toc.php and documentation/common/search.php; (2) req_lang in documentation/common/search.p...
CVE-2005-2649
CVE-2005-2649 describes a cross-site scripting (XSS) vulnerability in ATutor 1.5.1 that allows remote attackers to inject arbitrary script or HTML via the parameters course in login.php or words in search.php. The CVE is cited with a base score of 4.3 (Medium) on the NVD entry, and multiple conne...
CVE-2005-3403
ATutor
CVE-2006-3662
ATutor 1.5.3 contains a SQL injection in index.php via the fid parameter that could allow remote execution of arbitrary SQL commands. The vendor disputes the vulnerability, but source code analysis suggests it may be legitimate; the parameter is cleansed in version 1.5.3.1. Affected version: ATut...
CVE-2005-2954
CVE-2005-2954 corresponds to an SQL injection vulnerability in ATutor’s password_reminder.php, exploitable via the email field and affecting ATutor prior to 1.5.1 pl1. The issue is described as an input validation flaw in the remote version of ATutor, enabling attackers to manipulate SQL queries....
CVE-2005-3404
CVE-2005-3404 : ATutor versions 1.4.1–1.5.1-pl1 are affected by multiple PHP file inclusion vulnerabilities. An attacker can cause remote inclusion of arbitrary files via the section parameter (with a null byte %00) in body_header.inc.php and print.php. This corresponds to an arbitrary file inclu...
CVE-2007-0381
ATutor 1.5.3.2 contains multiple SQL injection vulnerabilities that allow remote attackers to execute arbitrary SQL commands via unspecified parameters. The underlying issue is not detailed in the provided documents beyond the vendor-fixed note; no exploitation details are given. The CVE entry in...
CVE-2005-4155
CVE-2005-4155 affects ATutor 1.5.1 pl2: registration.PHP permits remote SQL execution via an e-mail address ending with a NULL character that bypasses the PHP regex check. Root cause: input crafted to defeat validation, enabling arbitrary SQL commands. Impact is remote compromise of ATutor via th...
CVE-2006-3484
ATutor before 1.5.3 is affected by multiple cross-site scripting (XSS) vulnerabilities. The issues allow remote attackers to inject arbitrary web script or HTML via specific parameters: show_courses or current_cat to admin/create_course.php; show_courses to users/create_course.php; p to documenta...
CVE-2006-3821
ATutor 1.5.3 is affected by multiple XSS flaws (CVE-2006-3821). The vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the (1) lang parameter in index_list.php and (2) year, (3) month, and (4) day parameters in registration.php. The NVD entry reports a CVSS v2 base ...
CVE-2005-2044
CVE-2005-2044 affects ATutor (versions 1.4.3 and 1.5 RC1) with multiple reflected cross-site scripting (XSS) flaws. The vulnerability enables remote attackers to inject arbitrary web script or HTML through a long list of parameters across several pages: show_course (browse.php), subject (contact....
CVE-2005-2955
ATutor 1.5.1 (and possibly earlier) is affected by CVE-2005-2955 due to an incomplete blacklist in config.inc.php that fails to block dangerous file extensions during upload, allowing authenticated administrators/educators to execute arbitrary code by uploading files with extensions like .inc or ...
CVE-2006-3996
CVE-2006-3996 affects ATutor 1.5.3.1 and earlier in the file links/index.php. The vulnerability is an SQL injection in the desc and asc parameters, allowing remote authenticated users to execute arbitrary SQL commands. The NVD records a CVSS v2 base score of 6.5 (MEDIUM) with network attack vecto...