Lucene search
K
AtutorAtutor

28 matches found

CVE
CVE
added 2019/06/03 8:0 p.m.159 views

CVE-2019-12169

CVE-2019-12169 affects ATutor 2.2.4 and enables remote code execution via an arbitrary file upload and directory traversal. The vulnerability is triggered by a malformed ZIP archive exploiting a ".." pathname to drop PHP payloads into either mods/_core/languages/language_import.php (Import New La...

8.8CVSS8.7AI score0.73317EPSS
Web
CVE
CVE
added 2023/03/28 12:0 a.m.77 views

CVE-2023-27008

ATutor 2.2.1 is affected by CVE-2023-27008: a reflected XSS in login.tmpl.php (encrypt_password()) via the token parameter. Exploitation can inject script/HTML into pages viewed by users. Mitigation: upgrade to ATutor 2.2.2 or newer; consider restricting access to login.tmpl.php. No exploit detai...

6.1CVSS6AI score0.01499EPSS
In wild
CVE
CVE
added 2022/04/08 6:6 p.m.70 views

CVE-2021-43498

CVE-2021-43498 affects ATutor 2.2.4 in password_reminder.php. The vulnerability is an access-control issue triggered when the POST parameters g, id, h, form_password_hidden, and form_change are set. Documentation consistently describes an unauthorized access condition but does not provide exploit...

7.5CVSS7.5AI score0.01616EPSS
CVE
CVE
added 2017/10/02 1:0 a.m.65 views

CVE-2017-14981

ATutor before 2.2.3 contains a cross-site scripting (XSS) vulnerability due to insufficient filtering of data in the URL parameter used by /mods/_standard/rss_feeds/edit_feed.php. An attacker could inject arbitrary HTML/JavaScript that runs in the context of the affected site. The available docum...

5.4CVSS5.2AI score0.00596EPSS
Web
CVE
CVE
added 2021/08/17 9:45 p.m.64 views

CVE-2020-23341

CVE-2020-23341 is a reflected XSS vulnerability in ATutor 2.2.4, specifically in the /header.tmpl.php component. The provided documents state that an attacker can craft input to cause the execution of arbitrary web scripts or HTML in the victim’s browser. The Red Hat, NVD, OSV, and other feeds co...

6.1CVSS6AI score0.00827EPSS
CVE
CVE
added 2017/04/13 2:0 p.m.60 views

CVE-2016-2555

ATutor 2.2.1 contains a SQL Injection vulnerability in include/lib/mysql_connect.inc.php. The flaw allows remote attackers to execute arbitrary SQL commands through the searchFriends function in friends.inc.php, as detailed in exploit paths (e.g., Exploit-DB entry 39514) and related Metasploit mo...

9.8CVSS9.9AI score0.79622EPSS
Web
CVE
CVE
added 2017/02/07 3:0 p.m.58 views

CVE-2016-2539

ATutor

8.8CVSS9.1AI score0.04254EPSS
CVE
CVE
added 2015/11/16 7:0 p.m.55 views

CVE-2014-9752

CVE-2014-9752 : ATutor before 2.2 patch 6 suffers an unrestricted file upload via the customicon field in mods/_core/properties/lib/course.inc.php. A remote authenticated user can upload a PHP file to /content/ and access it directly to execute code, requiring at least an account with permission ...

6.5CVSS7.5AI score0.02111EPSS
Web
CVE
CVE
added 2017/10/10 4:0 p.m.52 views

CVE-2015-6521

ATutor LMS version 2.2 is affected by multiple cross-site scripting (XSS) vulnerabilities. The CNVD entry states a cross-site scripting flaw exists in ATutor LMS 2.2, allowing a remote attacker to inject arbitrary web script or HTML. The NVD entry corroborates XSS in ATutor LMS 2.2 with CVSS v3 b...

5.4CVSS5.4AI score0.00666EPSS
CVE
CVE
added 2015/11/16 7:0 p.m.52 views

CVE-2015-7712

ATutor 2.2 and earlier contains a PHP code injection vulnerability in mods/_standard/gradebook/edit_marks.php that allows remote authenticated users with AT_PRIV_GRADEBOOK privilege to execute arbitrary PHP code via the asc or desc parameters. This is a classic eval/ injection flaw in the gradebo...

6.5CVSS7.8AI score0.02059EPSS
Web
CVE
CVE
added 2017/03/05 8:0 p.m.51 views

CVE-2017-6483

ATutor 2.2.2 is affected by multiple XSS issues due to insufficient filtration of user-supplied data passed to several pages, notably lang_code handling in themes/*/admin/system_preferences/language_edit.tmpl.php. The vulnerability enables an attacker to execute arbitrary HTML and script code in ...

6.1CVSS6AI score0.00709EPSS
Web
CVE
CVE
added 2014/03/02 5:0 p.m.49 views

CVE-2014-2091

ATutor 2.1.1 is affected by CVE-2014-2091: a cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php that allows remote authenticated administrators to inject arbitrary script/HTML via the title parameter in an add_forum action. The issue is exploitable by those with...

3.5CVSS5.5AI score0.01267EPSS
Web
CVE
CVE
added 2013/01/31 2:0 a.m.48 views

CVE-2012-6528

ATutor before 2.1 contains multiple cross-site scripting (XSS) vulnerabilities exploitable via PATH_INFO in several endpoints (themes/default/tile_search/index.tmpl.php, login.php, search.php, password_reminder.php, login.php/jscripts/infusion, login.php/mods/_standard/flowplayer, browse.php/jscr...

4.3CVSS5.9AI score0.01851EPSS
CVE
CVE
added 2017/07/13 8:0 p.m.48 views

CVE-2017-1000002

CVE-2017-1000002 affects ATutor

9.8CVSS9.3AI score0.30833EPSS
CVE
CVE
added 2017/07/13 8:0 p.m.47 views

CVE-2017-1000003

ATutor 2.2.1 and earlier is affected by CVE-2017-1000003, an incorrect access control check vulnerability that enables privilege escalation. The issue is reported in multiple components: Social Application, Module, and Alternative Content within ATutor. The provided documents specify the affected...

9.8CVSS9.3AI score0.02324EPSS
CVE
CVE
added 2019/04/22 4:1 a.m.47 views

CVE-2019-11446

CVE-2019-11446 affects ATutor up to version 2.2.4. It enables an arbitrary file upload via the File Manager’s upload.php, allowing a user with teacher privileges to run commands on the server. The root cause is an upload filter: the $IllegalExtensions list only includes lowercase extensions and o...

8.8CVSS8.8AI score0.07948EPSS
CVE
CVE
added 2019/05/17 9:52 p.m.47 views

CVE-2019-12170

ATutor 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php backup component, enabling remote code execution when a crafted backup ZIP is uploaded by an attacker with instructor privileges. The issue allows PHP files to be written to the web root and executed on the...

9CVSS8.9AI score0.08749EPSS
Web
CVE
CVE
added 2010/03/16 6:26 p.m.46 views

CVE-2010-0971

CVE-2010-0971 concerns multiple XSS flaws in ATutor 1.6.4. The affected components are the polls, groups, and assignments modules: injecting scripts via (1) Question and (2) Choice in tools/polls/add.php, (3) Type and (4) Title in tools/groups/create_manual.php, and (5) Title in assignments/add_a...

2.1CVSS5.5AI score0.01668EPSS
Web
CVE
CVE
added 2017/07/13 8:0 p.m.46 views

CVE-2017-1000004

CVE-2017-1000004 affects ATutor versions 2.2.1 and earlier, with a SQL injection vulnerability across multiple components (Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossa...

9.8CVSS9.7AI score0.04689EPSS
CVE
CVE
added 2019/01/29 6:0 p.m.44 views

CVE-2019-7172

ATutor up to version 2.2.4 contains a stored-self XSS vulnerability in the vulnerable Real Name field accessed via /mods/_core/users/admins/my_edit.php. The issue allows an attacker to inject HTML/JavaScript into user names, with the effect described as a stored XSS, but the provided documents do...

6.1CVSS6.2AI score0.00865EPSS
Web
CVE
CVE
added 2019/09/09 12:15 p.m.43 views

CVE-2019-16114

ATutor 2.2.4 is affected by CVE-2019-16114. An unauthenticated attacker can first modify application settings to force the use of a crafted database, enabling access to the application. The attacker can then alter the upload directory, enabling remote code execution. The root cause is that instal...

9.8CVSS9.9AI score0.04783EPSS
Web
CVE
CVE
added 2008/02/19 9:0 p.m.42 views

CVE-2008-0828

ATutor 1.5.5 and earlier contains multiple cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in forum posts or mail, or (2) the website field in user profiles. The CVE entry covers these XSS flaws; expl...

4.3CVSS5.8AI score0.01033EPSS
CVE
CVE
added 2017/07/22 5:0 p.m.42 views

CVE-2016-10400

CVE-2016-10400 describes a directory traversal in ATutor prior to 2.2.2, exploitable via the icon parameter to /mods/_core/courses/users/create_course.php. An attacker can read arbitrary files by leveraging a traversal sequence and invoking /get_course_icon.php?id= after the traversal (e.g., to r...

7.5CVSS7.4AI score0.01937EPSS
Web
CVE
CVE
added 2020/03/02 3:50 p.m.41 views

CVE-2015-1583

ATutor LCMS 2.2 is affected by CSRF in two admin-facing endpoints (mods/_core/users/admins/create.php and mods/_core/users/create_user.php). The root cause is cross-site request forgery that allows an authenticated admin context to create either another administrator (super admin) or a new instru...

8.8CVSS8.9AI score0.01216EPSS
Web
CVE
CVE
added 2017/08/31 10:0 p.m.41 views

CVE-2015-7711

CVE-2015-7711 affects ATutor

6.1CVSS6AI score0.01644EPSS
CVE
CVE
added 2008/07/30 5:0 p.m.40 views

CVE-2008-3368

ATutor 1.6.1 pl1 and earlier is affected by CVE-2008-3368 due to a PHP remote file inclusion vulnerability in tools/packages/import.php, enabling remote authenticated administrators to execute arbitrary PHP code via a URL passed in the type parameter. The issue arises from improper handling of th...

6.5CVSS7.2AI score0.0265EPSS
Web
CVE
CVE
added 2011/09/23 11:0 p.m.40 views

CVE-2011-3706

CVE-2011-3706 affects ATutor 2.0. The vulnerability allows remote attackers to obtain sensitive information by directly requesting a PHP file, causing an error message that reveals the installation path (demonstrated by files like users/tool_settings.inc.php and others). The available documents d...

5CVSS6.3AI score0.01335EPSS
CVE
CVE
added 2020/02/11 5:51 p.m.39 views

CVE-2014-9753

CVE-2014-9753 affects ATutor 2.2 and earlier. The vulnerability arises in confirm.php via the auto_login parameter, allowing remote attackers to bypass authentication and gain an existing user session by loading or forging session data (session variable handling). The provided code excerpt shows ...

9.8CVSS9.6AI score0.02908EPSS