Vulnerability Details:
These vulnerabilities allow remote attackers to disclose information or execute arbitrary code on vulnerable installations of AContent. Authentication is required to exploit the remote code execution vulnerabilities, however account registration is open by default.
The tool_provider_outcome.php script allows a remote attacker to use a directory traversal in the url parameter to disclose information. The question_import.php, ims_import.php and import_test.php scripts allow a remote attacker to upload a specially crafted zip file containing directory traversals. An attacker could leverage this to execute arbitrary code under the context of the web server.
Affected Vendors:
ATutor
Affected Products:
AContent
Vendor Response:
ATutor has issued two updates to correct these vulnerabilities. More details can be found at: