28 matches found
CVE-2019-12169
CVE-2019-12169 affects ATutor 2.2.4 and enables remote code execution via an arbitrary file upload and directory traversal. The vulnerability is triggered by a malformed ZIP archive exploiting a ".." pathname to drop PHP payloads into either mods/_core/languages/language_import.php (Import New La...
CVE-2023-27008
ATutor 2.2.1 is affected by CVE-2023-27008: a reflected XSS in login.tmpl.php (encrypt_password()) via the token parameter. Exploitation can inject script/HTML into pages viewed by users. Mitigation: upgrade to ATutor 2.2.2 or newer; consider restricting access to login.tmpl.php. No exploit detai...
CVE-2021-43498
CVE-2021-43498 affects ATutor 2.2.4 in password_reminder.php. The vulnerability is an access-control issue triggered when the POST parameters g, id, h, form_password_hidden, and form_change are set. Documentation consistently describes an unauthorized access condition but does not provide exploit...
CVE-2017-14981
ATutor before 2.2.3 contains a cross-site scripting (XSS) vulnerability due to insufficient filtering of data in the URL parameter used by /mods/_standard/rss_feeds/edit_feed.php. An attacker could inject arbitrary HTML/JavaScript that runs in the context of the affected site. The available docum...
CVE-2020-23341
CVE-2020-23341 is a reflected XSS vulnerability in ATutor 2.2.4, specifically in the /header.tmpl.php component. The provided documents state that an attacker can craft input to cause the execution of arbitrary web scripts or HTML in the victim’s browser. The Red Hat, NVD, OSV, and other feeds co...
CVE-2016-2555
ATutor 2.2.1 contains a SQL Injection vulnerability in include/lib/mysql_connect.inc.php. The flaw allows remote attackers to execute arbitrary SQL commands through the searchFriends function in friends.inc.php, as detailed in exploit paths (e.g., Exploit-DB entry 39514) and related Metasploit mo...
CVE-2016-2539
ATutor
CVE-2014-9752
CVE-2014-9752 : ATutor before 2.2 patch 6 suffers an unrestricted file upload via the customicon field in mods/_core/properties/lib/course.inc.php. A remote authenticated user can upload a PHP file to /content/ and access it directly to execute code, requiring at least an account with permission ...
CVE-2015-6521
ATutor LMS version 2.2 is affected by multiple cross-site scripting (XSS) vulnerabilities. The CNVD entry states a cross-site scripting flaw exists in ATutor LMS 2.2, allowing a remote attacker to inject arbitrary web script or HTML. The NVD entry corroborates XSS in ATutor LMS 2.2 with CVSS v3 b...
CVE-2015-7712
ATutor 2.2 and earlier contains a PHP code injection vulnerability in mods/_standard/gradebook/edit_marks.php that allows remote authenticated users with AT_PRIV_GRADEBOOK privilege to execute arbitrary PHP code via the asc or desc parameters. This is a classic eval/ injection flaw in the gradebo...
CVE-2017-6483
ATutor 2.2.2 is affected by multiple XSS issues due to insufficient filtration of user-supplied data passed to several pages, notably lang_code handling in themes/*/admin/system_preferences/language_edit.tmpl.php. The vulnerability enables an attacker to execute arbitrary HTML and script code in ...
CVE-2014-2091
ATutor 2.1.1 is affected by CVE-2014-2091: a cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php that allows remote authenticated administrators to inject arbitrary script/HTML via the title parameter in an add_forum action. The issue is exploitable by those with...
CVE-2012-6528
ATutor before 2.1 contains multiple cross-site scripting (XSS) vulnerabilities exploitable via PATH_INFO in several endpoints (themes/default/tile_search/index.tmpl.php, login.php, search.php, password_reminder.php, login.php/jscripts/infusion, login.php/mods/_standard/flowplayer, browse.php/jscr...
CVE-2017-1000002
CVE-2017-1000002 affects ATutor
CVE-2017-1000003
ATutor 2.2.1 and earlier is affected by CVE-2017-1000003, an incorrect access control check vulnerability that enables privilege escalation. The issue is reported in multiple components: Social Application, Module, and Alternative Content within ATutor. The provided documents specify the affected...
CVE-2019-11446
CVE-2019-11446 affects ATutor up to version 2.2.4. It enables an arbitrary file upload via the File Manager’s upload.php, allowing a user with teacher privileges to run commands on the server. The root cause is an upload filter: the $IllegalExtensions list only includes lowercase extensions and o...
CVE-2019-12170
ATutor 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php backup component, enabling remote code execution when a crafted backup ZIP is uploaded by an attacker with instructor privileges. The issue allows PHP files to be written to the web root and executed on the...
CVE-2010-0971
CVE-2010-0971 concerns multiple XSS flaws in ATutor 1.6.4. The affected components are the polls, groups, and assignments modules: injecting scripts via (1) Question and (2) Choice in tools/polls/add.php, (3) Type and (4) Title in tools/groups/create_manual.php, and (5) Title in assignments/add_a...
CVE-2017-1000004
CVE-2017-1000004 affects ATutor versions 2.2.1 and earlier, with a SQL injection vulnerability across multiple components (Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossa...
CVE-2019-7172
ATutor up to version 2.2.4 contains a stored-self XSS vulnerability in the vulnerable Real Name field accessed via /mods/_core/users/admins/my_edit.php. The issue allows an attacker to inject HTML/JavaScript into user names, with the effect described as a stored XSS, but the provided documents do...
CVE-2019-16114
ATutor 2.2.4 is affected by CVE-2019-16114. An unauthenticated attacker can first modify application settings to force the use of a crafted database, enabling access to the application. The attacker can then alter the upload directory, enabling remote code execution. The root cause is that instal...
CVE-2008-0828
ATutor 1.5.5 and earlier contains multiple cross-site scripting (XSS) vulnerabilities. An attacker can inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in forum posts or mail, or (2) the website field in user profiles. The CVE entry covers these XSS flaws; expl...
CVE-2016-10400
CVE-2016-10400 describes a directory traversal in ATutor prior to 2.2.2, exploitable via the icon parameter to /mods/_core/courses/users/create_course.php. An attacker can read arbitrary files by leveraging a traversal sequence and invoking /get_course_icon.php?id= after the traversal (e.g., to r...
CVE-2015-1583
ATutor LCMS 2.2 is affected by CSRF in two admin-facing endpoints (mods/_core/users/admins/create.php and mods/_core/users/create_user.php). The root cause is cross-site request forgery that allows an authenticated admin context to create either another administrator (super admin) or a new instru...
CVE-2015-7711
CVE-2015-7711 affects ATutor
CVE-2008-3368
ATutor 1.6.1 pl1 and earlier is affected by CVE-2008-3368 due to a PHP remote file inclusion vulnerability in tools/packages/import.php, enabling remote authenticated administrators to execute arbitrary PHP code via a URL passed in the type parameter. The issue arises from improper handling of th...
CVE-2011-3706
CVE-2011-3706 affects ATutor 2.0. The vulnerability allows remote attackers to obtain sensitive information by directly requesting a PHP file, causing an error message that reveals the installation path (demonstrated by files like users/tool_settings.inc.php and others). The available documents d...
CVE-2014-9753
CVE-2014-9753 affects ATutor 2.2 and earlier. The vulnerability arises in confirm.php via the auto_login parameter, allowing remote attackers to bypass authentication and gain an existing user session by loading or forging session data (session variable handling). The provided code excerpt shows ...