Vulnerabilites related to atutor - atutor
cve-2015-1583
Vulnerability from cvelistv5
Published
2020-03-02 15:50
Modified
2024-08-06 04:47
Severity ?
EPSS score ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/72845 | vdb-entry, x_refsource_BID | |
| https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18 | x_refsource_CONFIRM | |
| https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce | x_refsource_CONFIRM | |
| https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419 | x_refsource_CONFIRM | |
| https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:47:17.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html"
},
{
"name": "72845",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72845"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-02T15:50:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html"
},
{
"name": "72845",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72845"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1583",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html"
},
{
"name": "72845",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72845"
},
{
"name": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18"
},
{
"name": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce"
},
{
"name": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419"
},
{
"name": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/",
"refsource": "MISC",
"url": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1583",
"datePublished": "2020-03-02T15:50:35",
"dateReserved": "2015-02-11T00:00:00",
"dateUpdated": "2024-08-06T04:47:17.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-6521
Vulnerability from cvelistv5
Published
2017-10-10 16:00
Modified
2024-08-06 07:22
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/atutor/ATutor/issues/103 | x_refsource_CONFIRM | |
| http://www.openwall.com/lists/oss-security/2015/08/19/1 | mailing-list, x_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:22:22.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/issues/103"
},
{
"name": "[oss-security] 20150818 Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/19/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/issues/103"
},
{
"name": "[oss-security] 20150818 Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/19/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6521",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/issues/103",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/issues/103"
},
{
"name": "[oss-security] 20150818 Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/08/19/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6521",
"datePublished": "2017-10-10T16:00:00",
"dateReserved": "2015-08-18T00:00:00",
"dateUpdated": "2024-08-06T07:22:22.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-16114
Vulnerability from cvelistv5
Published
2019-09-09 12:15
Modified
2024-08-05 01:03
Severity ?
EPSS score ?
Summary
In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/atutor/ATutor/commits/master | x_refsource_MISC | |
| https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:03:32.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commits/master"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-09T12:15:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/commits/master"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16114",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/commits/master",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/commits/master"
},
{
"name": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md",
"refsource": "MISC",
"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16114",
"datePublished": "2019-09-09T12:15:29",
"dateReserved": "2019-09-08T00:00:00",
"dateUpdated": "2024-08-05T01:03:32.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-3368
Vulnerability from cvelistv5
Published
2008-07-30 17:00
Modified
2024-08-07 09:37
Severity ?
EPSS score ?
Summary
PHP remote file inclusion vulnerability in tools/packages/import.php in ATutor 1.6.1 pl1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via a URL in the type parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.vupen.com/english/advisories/2008/2206/references | vdb-entry, x_refsource_VUPEN | |
| http://securityreason.com/securityalert/4064 | third-party-advisory, x_refsource_SREASON | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/44051 | vdb-entry, x_refsource_XF | |
| http://www.securityfocus.com/bid/30412 | vdb-entry, x_refsource_BID | |
| http://secunia.com/advisories/31274 | third-party-advisory, x_refsource_SECUNIA | |
| https://www.exploit-db.com/exploits/6153 | exploit, x_refsource_EXPLOIT-DB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T09:37:26.704Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "ADV-2008-2206",
"tags": [
"vdb-entry",
"x_refsource_VUPEN",
"x_transferred"
],
"url": "http://www.vupen.com/english/advisories/2008/2206/references"
},
{
"name": "4064",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/4064"
},
{
"name": "atutor-import-file-include(44051)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44051"
},
{
"name": "30412",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/30412"
},
{
"name": "31274",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/31274"
},
{
"name": "6153",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/6153"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-07-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "PHP remote file inclusion vulnerability in tools/packages/import.php in ATutor 1.6.1 pl1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via a URL in the type parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "ADV-2008-2206",
"tags": [
"vdb-entry",
"x_refsource_VUPEN"
],
"url": "http://www.vupen.com/english/advisories/2008/2206/references"
},
{
"name": "4064",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/4064"
},
{
"name": "atutor-import-file-include(44051)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44051"
},
{
"name": "30412",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/30412"
},
{
"name": "31274",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/31274"
},
{
"name": "6153",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/6153"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-3368",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PHP remote file inclusion vulnerability in tools/packages/import.php in ATutor 1.6.1 pl1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via a URL in the type parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2008-2206",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2008/2206/references"
},
{
"name": "4064",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/4064"
},
{
"name": "atutor-import-file-include(44051)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44051"
},
{
"name": "30412",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/30412"
},
{
"name": "31274",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/31274"
},
{
"name": "6153",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/6153"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-3368",
"datePublished": "2008-07-30T17:00:00",
"dateReserved": "2008-07-30T00:00:00",
"dateUpdated": "2024-08-07T09:37:26.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-1000004
Vulnerability from cvelistv5
Published
2017-07-13 20:00
Modified
2024-08-05 21:45
Severity ?
EPSS score ?
Summary
ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99599 | vdb-entry, x_refsource_BID | |
| http://www.atutor.ca/atutor/mantis/view.php?id=5681 | x_refsource_CONFIRM | |
| http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:25.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99599",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-19T11:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "99599",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-1000004",
"REQUESTER": "mattd@bugfuzz.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99599",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99599"
},
{
"name": "http://www.atutor.ca/atutor/mantis/view.php?id=5681",
"refsource": "CONFIRM",
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"name": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55",
"refsource": "CONFIRM",
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-1000004",
"datePublished": "2017-07-13T20:00:00",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-08-05T21:45:25.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2021-43498
Vulnerability from cvelistv5
Published
2022-04-08 18:06
Modified
2024-08-04 03:55
Severity ?
EPSS score ?
Summary
An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set.
References
| ▼ | URL | Tags |
|---|---|---|
| https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html | x_refsource_MISC | |
| https://github.com/atutor/ATutor/blob/master/password_reminder.php | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:29.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-08T18:06:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43498",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
},
{
"name": "https://github.com/atutor/ATutor/blob/master/password_reminder.php",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43498",
"datePublished": "2022-04-08T18:06:02",
"dateReserved": "2021-11-08T00:00:00",
"dateUpdated": "2024-08-04T03:55:29.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-2539
Vulnerability from cvelistv5
Published
2017-02-07 15:00
Modified
2024-08-05 23:32
Severity ?
EPSS score ?
Summary
Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/39524/ | exploit, x_refsource_EXPLOIT-DB | |
| https://packetstormsecurity.com/files/136109/ATutor-LMS-2.2.1-CSRF-Remote-Code-Execution.html | x_refsource_MISC | |
| https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T23:32:20.891Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "39524",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39524/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/136109/ATutor-LMS-2.2.1-CSRF-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-07T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "39524",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39524/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/136109/ATutor-LMS-2.2.1-CSRF-Remote-Code-Execution.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-2539",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "39524",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39524/"
},
{
"name": "https://packetstormsecurity.com/files/136109/ATutor-LMS-2.2.1-CSRF-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/136109/ATutor-LMS-2.2.1-CSRF-Remote-Code-Execution.html"
},
{
"name": "https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-2539",
"datePublished": "2017-02-07T15:00:00",
"dateReserved": "2016-02-23T00:00:00",
"dateUpdated": "2024-08-05T23:32:20.891Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-1000003
Vulnerability from cvelistv5
Published
2017-07-13 20:00
Modified
2024-08-05 21:45
Severity ?
EPSS score ?
Summary
ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99599 | vdb-entry, x_refsource_BID | |
| http://www.atutor.ca/atutor/mantis/view.php?id=5681 | x_refsource_CONFIRM | |
| http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:26.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99599",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-26T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "99599",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-1000003",
"REQUESTER": "mattd@bugfuzz.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99599",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99599"
},
{
"name": "http://www.atutor.ca/atutor/mantis/view.php?id=5681",
"refsource": "CONFIRM",
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"name": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55",
"refsource": "CONFIRM",
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-1000003",
"datePublished": "2017-07-13T20:00:00",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-08-05T21:45:26.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2020-23341
Vulnerability from cvelistv5
Published
2021-08-17 21:45
Modified
2024-08-04 14:58
Severity ?
EPSS score ?
Summary
A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
References
| ▼ | URL | Tags |
|---|---|---|
| https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:15.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-17T21:45:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23341",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/",
"refsource": "MISC",
"url": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23341",
"datePublished": "2021-08-17T21:45:59",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:15.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2010-0971
Vulnerability from cvelistv5
Published
2010-03-16 18:26
Modified
2024-08-07 01:06
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in tools/groups/create_manual.php, and the (5) Title field in assignments/add_assignment.php. NOTE: some of these details are obtained from third party information.
References
| ▼ | URL | Tags |
|---|---|---|
| http://osvdb.org/62905 | vdb-entry, x_refsource_OSVDB | |
| http://www.securityfocus.com/bid/38656 | vdb-entry, x_refsource_BID | |
| http://www.exploit-db.com/exploits/11685 | exploit, x_refsource_EXPLOIT-DB | |
| http://secunia.com/advisories/38906 | third-party-advisory, x_refsource_SECUNIA | |
| http://osvdb.org/62904 | vdb-entry, x_refsource_OSVDB | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/56852 | vdb-entry, x_refsource_XF | |
| http://packetstormsecurity.org/1003-exploits/atutor-xss.txt | x_refsource_MISC | |
| http://osvdb.org/62906 | vdb-entry, x_refsource_OSVDB |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T01:06:52.521Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "62905",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/62905"
},
{
"name": "38656",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/38656"
},
{
"name": "11685",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/11685"
},
{
"name": "38906",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/38906"
},
{
"name": "62904",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/62904"
},
{
"name": "atutor-add-xss(56852)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56852"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/1003-exploits/atutor-xss.txt"
},
{
"name": "62906",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/62906"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in tools/groups/create_manual.php, and the (5) Title field in assignments/add_assignment.php. NOTE: some of these details are obtained from third party information."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "62905",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/62905"
},
{
"name": "38656",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/38656"
},
{
"name": "11685",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/11685"
},
{
"name": "38906",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/38906"
},
{
"name": "62904",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/62904"
},
{
"name": "atutor-add-xss(56852)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56852"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/1003-exploits/atutor-xss.txt"
},
{
"name": "62906",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/62906"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-0971",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in tools/groups/create_manual.php, and the (5) Title field in assignments/add_assignment.php. NOTE: some of these details are obtained from third party information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "62905",
"refsource": "OSVDB",
"url": "http://osvdb.org/62905"
},
{
"name": "38656",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/38656"
},
{
"name": "11685",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/11685"
},
{
"name": "38906",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/38906"
},
{
"name": "62904",
"refsource": "OSVDB",
"url": "http://osvdb.org/62904"
},
{
"name": "atutor-add-xss(56852)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56852"
},
{
"name": "http://packetstormsecurity.org/1003-exploits/atutor-xss.txt",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/1003-exploits/atutor-xss.txt"
},
{
"name": "62906",
"refsource": "OSVDB",
"url": "http://osvdb.org/62906"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-0971",
"datePublished": "2010-03-16T18:26:00",
"dateReserved": "2010-03-16T00:00:00",
"dateUpdated": "2024-08-07T01:06:52.521Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-6483
Vulnerability from cvelistv5
Published
2017-03-05 20:00
Modified
2024-08-05 15:33
Severity ?
EPSS score ?
Summary
Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2.2.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (lang_code in themes/*/admin/system_preferences/language_edit.tmpl.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/96578 | vdb-entry, x_refsource_BID | |
| https://github.com/atutor/ATutor/issues/129 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:33:20.003Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "96578",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96578"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/issues/129"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2.2.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (lang_code in themes/*/admin/system_preferences/language_edit.tmpl.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-07T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "96578",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96578"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/issues/129"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-6483",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2.2.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (lang_code in themes/*/admin/system_preferences/language_edit.tmpl.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "96578",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96578"
},
{
"name": "https://github.com/atutor/ATutor/issues/129",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/issues/129"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-6483",
"datePublished": "2017-03-05T20:00:00",
"dateReserved": "2017-03-05T00:00:00",
"dateUpdated": "2024-08-05T15:33:20.003Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-12170
Vulnerability from cvelistv5
Published
2019-05-17 21:52
Modified
2024-08-04 23:10
Severity ?
EPSS score ?
Summary
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File | x_refsource_MISC | |
| http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/ | x_refsource_MISC | |
| http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:30.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-05T22:06:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12170",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File",
"refsource": "MISC",
"url": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File"
},
{
"name": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/",
"refsource": "MISC",
"url": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/"
},
{
"name": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12170",
"datePublished": "2019-05-17T21:52:18",
"dateReserved": "2019-05-17T00:00:00",
"dateUpdated": "2024-08-04T23:10:30.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-7712
Vulnerability from cvelistv5
Published
2015-11-16 19:00
Modified
2024-08-06 07:58
Severity ?
EPSS score ?
Summary
Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary PHP code via the (1) asc or (2) desc parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://karmainsecurity.com/KIS-2015-08 | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/536836/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://packetstormsecurity.com/files/134218/ATutor-2.2-PHP-Code-Injection.html | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2015/Nov/13 | mailing-list, x_refsource_FULLDISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:58:59.651Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2015-08"
},
{
"name": "20151104 [KIS-2015-08] ATutor \u003c= 2.2 (edit_marks.php) PHP Code Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536836/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/134218/ATutor-2.2-PHP-Code-Injection.html"
},
{
"name": "20151104 [KIS-2015-08] ATutor \u003c= 2.2 (edit_marks.php) PHP Code Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/13"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary PHP code via the (1) asc or (2) desc parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2015-08"
},
{
"name": "20151104 [KIS-2015-08] ATutor \u003c= 2.2 (edit_marks.php) PHP Code Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536836/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/134218/ATutor-2.2-PHP-Code-Injection.html"
},
{
"name": "20151104 [KIS-2015-08] ATutor \u003c= 2.2 (edit_marks.php) PHP Code Injection Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/13"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7712",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary PHP code via the (1) asc or (2) desc parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://karmainsecurity.com/KIS-2015-08",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2015-08"
},
{
"name": "20151104 [KIS-2015-08] ATutor \u003c= 2.2 (edit_marks.php) PHP Code Injection Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536836/100/0/threaded"
},
{
"name": "http://packetstormsecurity.com/files/134218/ATutor-2.2-PHP-Code-Injection.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/134218/ATutor-2.2-PHP-Code-Injection.html"
},
{
"name": "20151104 [KIS-2015-08] ATutor \u003c= 2.2 (edit_marks.php) PHP Code Injection Vulnerability",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Nov/13"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7712",
"datePublished": "2015-11-16T19:00:00",
"dateReserved": "2015-10-05T00:00:00",
"dateUpdated": "2024-08-06T07:58:59.651Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-12169
Vulnerability from cvelistv5
Published
2019-06-03 20:00
Modified
2024-08-04 23:10
Severity ?
EPSS score ?
Summary
ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/fuzzlove | x_refsource_MISC | |
| https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit | x_refsource_MISC | |
| http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/ | x_refsource_MISC | |
| http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html | x_refsource_MISC | |
| http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:30.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fuzzlove"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a \"..\" pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-30T19:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fuzzlove"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12169",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a \"..\" pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fuzzlove",
"refsource": "MISC",
"url": "https://github.com/fuzzlove"
},
{
"name": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit",
"refsource": "MISC",
"url": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"
},
{
"name": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/",
"refsource": "MISC",
"url": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"
},
{
"name": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12169",
"datePublished": "2019-06-03T20:00:28",
"dateReserved": "2019-05-17T00:00:00",
"dateUpdated": "2024-08-04T23:10:30.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-7172
Vulnerability from cvelistv5
Published
2019-01-29 18:00
Modified
2024-09-17 01:12
Severity ?
EPSS score ?
Summary
A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/atutor/ATutor/issues/164 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:38:33.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/issues/164"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-29T18:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/issues/164"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-7172",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/issues/164",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/issues/164"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-7172",
"datePublished": "2019-01-29T18:00:00Z",
"dateReserved": "2019-01-29T00:00:00Z",
"dateUpdated": "2024-09-17T01:12:11.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-27008
Vulnerability from cvelistv5
Published
2023-03-28 00:00
Modified
2025-02-18 20:18
Severity ?
EPSS score ?
Summary
A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:01:31.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://plantplants213607121.wordpress.com/2023/02/16/atutor-2-2-1-cross-site-scripting-via-the-token-body-parameter/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27008",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T20:17:31.351746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T20:18:14.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://plantplants213607121.wordpress.com/2023/02/16/atutor-2-2-1-cross-site-scripting-via-the-token-body-parameter/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-27008",
"datePublished": "2023-03-28T00:00:00.000Z",
"dateReserved": "2023-02-27T00:00:00.000Z",
"dateUpdated": "2025-02-18T20:18:14.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-1000002
Vulnerability from cvelistv5
Published
2017-07-13 20:00
Modified
2024-08-05 21:45
Severity ?
EPSS score ?
Summary
ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal vulnerability in the Course Icon component resulting in information disclosure.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/99599 | vdb-entry, x_refsource_BID | |
| http://www.atutor.ca/atutor/mantis/view.php?id=5681 | x_refsource_CONFIRM | |
| http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:25.996Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99599",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal vulnerability in the Course Icon component resulting in information disclosure."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-18T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "99599",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-1000002",
"REQUESTER": "mattd@bugfuzz.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal vulnerability in the Course Icon component resulting in information disclosure."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99599",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99599"
},
{
"name": "http://www.atutor.ca/atutor/mantis/view.php?id=5681",
"refsource": "CONFIRM",
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"name": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55",
"refsource": "CONFIRM",
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-1000002",
"datePublished": "2017-07-13T20:00:00",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-08-05T21:45:25.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2011-3706
Vulnerability from cvelistv5
Published
2011-09-23 23:00
Modified
2024-09-17 04:10
Severity ?
EPSS score ?
Summary
ATutor 2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by users/tool_settings.inc.php and certain other files.
References
| ▼ | URL | Tags |
|---|---|---|
| http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/ATutor-2.0 | x_refsource_MISC | |
| http://www.openwall.com/lists/oss-security/2011/06/27/6 | mailing-list, x_refsource_MLIST | |
| http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T23:46:02.654Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/ATutor-2.0"
},
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ATutor 2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by users/tool_settings.inc.php and certain other files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2011-09-23T23:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/ATutor-2.0"
},
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-3706",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor 2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by users/tool_settings.inc.php and certain other files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/ATutor-2.0",
"refsource": "MISC",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/ATutor-2.0"
},
{
"name": "[oss-security] 20110627 Re: CVE request: Joomla unspecified information disclosure vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"name": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README",
"refsource": "MISC",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-3706",
"datePublished": "2011-09-23T23:00:00Z",
"dateReserved": "2011-09-23T00:00:00Z",
"dateUpdated": "2024-09-17T04:10:04.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-2091
Vulnerability from cvelistv5
Published
2014-03-02 17:00
Modified
2024-08-06 10:05
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title parameter in an add_forum action. NOTE: the original disclosure also reported issues that may not cross privilege boundaries.
References
| ▼ | URL | Tags |
|---|---|---|
| http://packetstormsecurity.com/files/125348/ATutor-2.1.1-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://www.securityfocus.com/bid/65744 | vdb-entry, x_refsource_BID |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:05:57.922Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/125348/ATutor-2.1.1-Cross-Site-Scripting.html"
},
{
"name": "65744",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/65744"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title parameter in an add_forum action. NOTE: the original disclosure also reported issues that may not cross privilege boundaries."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-05-14T16:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/125348/ATutor-2.1.1-Cross-Site-Scripting.html"
},
{
"name": "65744",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/65744"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2091",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title parameter in an add_forum action. NOTE: the original disclosure also reported issues that may not cross privilege boundaries."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/125348/ATutor-2.1.1-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/125348/ATutor-2.1.1-Cross-Site-Scripting.html"
},
{
"name": "65744",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/65744"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2091",
"datePublished": "2014-03-02T17:00:00",
"dateReserved": "2014-02-24T00:00:00",
"dateUpdated": "2024-08-06T10:05:57.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-9753
Vulnerability from cvelistv5
Published
2020-02-11 17:51
Modified
2024-08-06 13:55
Severity ?
EPSS score ?
Summary
confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://karmainsecurity.com/KIS-2015-06 | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2015/Nov/11 | x_refsource_MISC | |
| http://update.atutor.ca/patch/2_2/2_2-6/patch.xml | x_refsource_MISC | |
| https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:55:04.520Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2015-06"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-11T17:51:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2015-06"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9753",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://karmainsecurity.com/KIS-2015-06",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2015-06"
},
{
"name": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded",
"refsource": "MISC",
"url": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded"
},
{
"name": "http://seclists.org/fulldisclosure/2015/Nov/11",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2015/Nov/11"
},
{
"name": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml",
"refsource": "MISC",
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"name": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9753",
"datePublished": "2020-02-11T17:51:14",
"dateReserved": "2015-10-05T00:00:00",
"dateUpdated": "2024-08-06T13:55:04.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-10400
Vulnerability from cvelistv5
Published
2017-07-22 17:00
Modified
2024-09-16 20:58
Severity ?
EPSS score ?
Summary
Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.htbridge.com/advisory/HTB23297 | x_refsource_MISC | |
| https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:51.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23297"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-22T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23297"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10400",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.htbridge.com/advisory/HTB23297",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23297"
},
{
"name": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10400",
"datePublished": "2017-07-22T17:00:00Z",
"dateReserved": "2017-07-22T00:00:00Z",
"dateUpdated": "2024-09-16T20:58:58.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2012-6528
Vulnerability from cvelistv5
Published
2013-01-31 02:00
Modified
2024-08-06 21:28
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 2.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) themes/default/tile_search/index.tmpl.php, (2) login.php, (3) search.php, (4) password_reminder.php, (5) login.php/jscripts/infusion, (6) login.php/mods/_standard/flowplayer, (7) browse.php/jscripts/infusion/framework/fss, (8) registration.php/themes/default/ie_styles.css, (9) about.php, or (10) themes/default/social/basic_profile.tmpl.php.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/bid/51423 | vdb-entry, x_refsource_BID | |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/72412 | vdb-entry, x_refsource_XF | |
| http://archives.neohapsis.com/archives/bugtraq/2012-01/0094.html | mailing-list, x_refsource_BUGTRAQ | |
| http://atutor.ca/atutor/change_log.php | x_refsource_CONFIRM | |
| http://www.darksecurity.de/advisories/2012/SSCHADV2012-002.txt | x_refsource_MISC | |
| http://secunia.com/advisories/47597 | third-party-advisory, x_refsource_SECUNIA |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:28:39.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "51423",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/51423"
},
{
"name": "atutor-multiplescripts-xss(72412)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72412"
},
{
"name": "20120115 ATutor 2.0.3 Multiple XSS vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0094.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://atutor.ca/atutor/change_log.php"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.darksecurity.de/advisories/2012/SSCHADV2012-002.txt"
},
{
"name": "47597",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/47597"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-01-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 2.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) themes/default/tile_search/index.tmpl.php, (2) login.php, (3) search.php, (4) password_reminder.php, (5) login.php/jscripts/infusion, (6) login.php/mods/_standard/flowplayer, (7) browse.php/jscripts/infusion/framework/fss, (8) registration.php/themes/default/ie_styles.css, (9) about.php, or (10) themes/default/social/basic_profile.tmpl.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "51423",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/51423"
},
{
"name": "atutor-multiplescripts-xss(72412)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72412"
},
{
"name": "20120115 ATutor 2.0.3 Multiple XSS vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0094.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://atutor.ca/atutor/change_log.php"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.darksecurity.de/advisories/2012/SSCHADV2012-002.txt"
},
{
"name": "47597",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/47597"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-6528",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 2.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) themes/default/tile_search/index.tmpl.php, (2) login.php, (3) search.php, (4) password_reminder.php, (5) login.php/jscripts/infusion, (6) login.php/mods/_standard/flowplayer, (7) browse.php/jscripts/infusion/framework/fss, (8) registration.php/themes/default/ie_styles.css, (9) about.php, or (10) themes/default/social/basic_profile.tmpl.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "51423",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/51423"
},
{
"name": "atutor-multiplescripts-xss(72412)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72412"
},
{
"name": "20120115 ATutor 2.0.3 Multiple XSS vulnerabilities",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0094.html"
},
{
"name": "http://atutor.ca/atutor/change_log.php",
"refsource": "CONFIRM",
"url": "http://atutor.ca/atutor/change_log.php"
},
{
"name": "http://www.darksecurity.de/advisories/2012/SSCHADV2012-002.txt",
"refsource": "MISC",
"url": "http://www.darksecurity.de/advisories/2012/SSCHADV2012-002.txt"
},
{
"name": "47597",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/47597"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-6528",
"datePublished": "2013-01-31T02:00:00",
"dateReserved": "2013-01-30T00:00:00",
"dateUpdated": "2024-08-06T21:28:39.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2017-14981
Vulnerability from cvelistv5
Published
2017-10-02 01:00
Modified
2024-09-17 00:06
Severity ?
EPSS score ?
Summary
Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/atutor/ATutor/issues/135 | x_refsource_CONFIRM | |
| https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090 | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:42:22.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/issues/135"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T01:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/issues/135"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14981",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/issues/135",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/issues/135"
},
{
"name": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14981",
"datePublished": "2017-10-02T01:00:00Z",
"dateReserved": "2017-10-01T00:00:00Z",
"dateUpdated": "2024-09-17T00:06:38.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2008-0828
Vulnerability from cvelistv5
Published
2008-02-19 21:00
Modified
2024-08-07 08:01
Severity ?
EPSS score ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in (a) forum post or (b) mail; or (2) the website field of the profile.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/488293/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://secunia.com/advisories/29015 | third-party-advisory, x_refsource_SECUNIA | |
| http://www.securityfocus.com/bid/27855 | vdb-entry, x_refsource_BID | |
| http://securityreason.com/securityalert/3670 | third-party-advisory, x_refsource_SREASON |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T08:01:39.781Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20080217 ATutor \u003c= 1.5.5 Cross Site Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/488293/100/0/threaded"
},
{
"name": "29015",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/29015"
},
{
"name": "27855",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/27855"
},
{
"name": "3670",
"tags": [
"third-party-advisory",
"x_refsource_SREASON",
"x_transferred"
],
"url": "http://securityreason.com/securityalert/3670"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2008-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in (a) forum post or (b) mail; or (2) the website field of the profile."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-15T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20080217 ATutor \u003c= 1.5.5 Cross Site Scripting",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/488293/100/0/threaded"
},
{
"name": "29015",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/29015"
},
{
"name": "27855",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/27855"
},
{
"name": "3670",
"tags": [
"third-party-advisory",
"x_refsource_SREASON"
],
"url": "http://securityreason.com/securityalert/3670"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-0828",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in (a) forum post or (b) mail; or (2) the website field of the profile."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20080217 ATutor \u003c= 1.5.5 Cross Site Scripting",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/488293/100/0/threaded"
},
{
"name": "29015",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/29015"
},
{
"name": "27855",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/27855"
},
{
"name": "3670",
"refsource": "SREASON",
"url": "http://securityreason.com/securityalert/3670"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2008-0828",
"datePublished": "2008-02-19T21:00:00",
"dateReserved": "2008-02-19T00:00:00",
"dateUpdated": "2024-08-07T08:01:39.781Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2019-11446
Vulnerability from cvelistv5
Published
2019-04-22 04:01
Modified
2024-08-04 22:55
Severity ?
EPSS score ?
Summary
An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.exploit-db.com/exploits/46691/ | exploit, x_refsource_EXPLOIT-DB | |
| http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:39.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "46691",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46691/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-24T15:13:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "46691",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/46691/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11446",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "46691",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/46691/"
},
{
"name": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html",
"refsource": "MISC",
"url": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11446",
"datePublished": "2019-04-22T04:01:09",
"dateReserved": "2019-04-21T00:00:00",
"dateUpdated": "2024-08-04T22:55:39.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2016-2555
Vulnerability from cvelistv5
Published
2017-04-13 14:00
Modified
2024-08-05 23:32
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/atutor/ATutor/commit/945a9dca01def8536516088da30fe6a4b7e9fa85 | x_refsource_CONFIRM | |
| https://www.exploit-db.com/exploits/39514/ | exploit, x_refsource_EXPLOIT-DB | |
| http://sourceincite.com/research/src-2016-08/ | x_refsource_MISC | |
| https://github.com/atutor/ATutor/commit/629b2c992447f7670a2fecc484abfad8c4c2d298 | x_refsource_CONFIRM | |
| http://www.rapid7.com/db/modules/exploit/multi/http/atutor_sqli | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T23:32:20.949Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/945a9dca01def8536516088da30fe6a4b7e9fa85"
},
{
"name": "39514",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/39514/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://sourceincite.com/research/src-2016-08/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/629b2c992447f7670a2fecc484abfad8c4c2d298"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.rapid7.com/db/modules/exploit/multi/http/atutor_sqli"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-03-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-07T09:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/945a9dca01def8536516088da30fe6a4b7e9fa85"
},
{
"name": "39514",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/39514/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://sourceincite.com/research/src-2016-08/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/629b2c992447f7670a2fecc484abfad8c4c2d298"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.rapid7.com/db/modules/exploit/multi/http/atutor_sqli"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-2555",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/commit/945a9dca01def8536516088da30fe6a4b7e9fa85",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/945a9dca01def8536516088da30fe6a4b7e9fa85"
},
{
"name": "39514",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/39514/"
},
{
"name": "http://sourceincite.com/research/src-2016-08/",
"refsource": "MISC",
"url": "http://sourceincite.com/research/src-2016-08/"
},
{
"name": "https://github.com/atutor/ATutor/commit/629b2c992447f7670a2fecc484abfad8c4c2d298",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/629b2c992447f7670a2fecc484abfad8c4c2d298"
},
{
"name": "http://www.rapid7.com/db/modules/exploit/multi/http/atutor_sqli",
"refsource": "MISC",
"url": "http://www.rapid7.com/db/modules/exploit/multi/http/atutor_sqli"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-2555",
"datePublished": "2017-04-13T14:00:00",
"dateReserved": "2016-02-24T00:00:00",
"dateUpdated": "2024-08-05T23:32:20.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2014-9752
Vulnerability from cvelistv5
Published
2015-11-16 19:00
Modified
2024-08-06 13:55
Severity ?
EPSS score ?
Summary
Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a direct request to the file in content/.
References
| ▼ | URL | Tags |
|---|---|---|
| http://www.securityfocus.com/archive/1/536834/100/0/threaded | mailing-list, x_refsource_BUGTRAQ | |
| http://update.atutor.ca/patch/2_2/2_2-6/patch.xml | x_refsource_CONFIRM | |
| http://karmainsecurity.com/KIS-2015-05 | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2015/Nov/10 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/134215/ATutor-2.2-File-Upload.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:55:04.464Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20151104 [KIS-2015-05] ATutor \u003c= 2.2 (Custom Course Icon) Unrestricted File Upload Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536834/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2015-05"
},
{
"name": "20151104 [KIS-2015-05] ATutor \u003c= 2.2 (Custom Course Icon) Unrestricted File Upload Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/134215/ATutor-2.2-File-Upload.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a direct request to the file in content/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20151104 [KIS-2015-05] ATutor \u003c= 2.2 (Custom Course Icon) Unrestricted File Upload Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536834/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2015-05"
},
{
"name": "20151104 [KIS-2015-05] ATutor \u003c= 2.2 (Custom Course Icon) Unrestricted File Upload Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/134215/ATutor-2.2-File-Upload.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9752",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a direct request to the file in content/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20151104 [KIS-2015-05] ATutor \u003c= 2.2 (Custom Course Icon) Unrestricted File Upload Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536834/100/0/threaded"
},
{
"name": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml",
"refsource": "CONFIRM",
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"name": "http://karmainsecurity.com/KIS-2015-05",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2015-05"
},
{
"name": "20151104 [KIS-2015-05] ATutor \u003c= 2.2 (Custom Course Icon) Unrestricted File Upload Vulnerability",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Nov/10"
},
{
"name": "http://packetstormsecurity.com/files/134215/ATutor-2.2-File-Upload.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/134215/ATutor-2.2-File-Upload.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9752",
"datePublished": "2015-11-16T19:00:00",
"dateReserved": "2015-10-05T00:00:00",
"dateUpdated": "2024-08-06T13:55:04.464Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2015-7711
Vulnerability from cvelistv5
Published
2017-08-31 22:00
Modified
2024-08-06 07:58
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter.
References
| ▼ | URL | Tags |
|---|---|---|
| http://seclists.org/fulldisclosure/2015/Nov/12 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html | x_refsource_MISC | |
| http://karmainsecurity.com/KIS-2015-07 | x_refsource_MISC | |
| http://www.securityfocus.com/archive/1/536837/100/0/threaded | mailing-list, x_refsource_BUGTRAQ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:58:59.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/12"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2015-07"
},
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536837/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/12"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2015-07"
},
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536837/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7711",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Nov/12"
},
{
"name": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html"
},
{
"name": "http://karmainsecurity.com/KIS-2015-07",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2015-07"
},
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536837/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7711",
"datePublished": "2017-08-31T22:00:00",
"dateReserved": "2015-10-05T00:00:00",
"dateUpdated": "2024-08-06T07:58:59.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-09-09 13:15
Modified
2024-11-21 04:30
Severity ?
Summary
In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7DAE444F-3475-41BE-AB95-1EDBA4B9604F",
"versionEndIncluding": "2.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php."
},
{
"lang": "es",
"value": "En ATutor versiones 2.2.4, un atacante no autenticado puede cambiar la configuraci\u00f3n de la aplicaci\u00f3n y forzarla a utilizar su base de datos dise\u00f1ada, lo que le permite conseguir acceso a la aplicaci\u00f3n. Y a continuaci\u00f3n, puede cambiar el directorio en el cual la aplicaci\u00f3n carga los archivos, que le permite alcanzar la ejecuci\u00f3n de c\u00f3digo remota. Esto ocurre porque el archivo install/include/header.php no restringe ciertos cambios (en db_host, db_login, db_password y content_dir) dentro del archivo install/include/step5.php."
}
],
"id": "CVE-2019-16114",
"lastModified": "2024-11-21T04:30:04.517",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-09T13:15:11.777",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/atutor/ATutor/commits/master"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/atutor/ATutor/commits/master"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-17 13:18
Modified
2024-11-21 03:03
Severity ?
Summary
ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55 | Vendor Advisory | |
| cve@mitre.org | http://www.atutor.ca/atutor/mantis/view.php?id=5681 | Permissions Required | |
| cve@mitre.org | http://www.securityfocus.com/bid/99599 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.atutor.ca/atutor/mantis/view.php?id=5681 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99599 | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "477E8516-CADE-4D79-85C3-E64736C03CA7",
"versionEndIncluding": "2.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution."
},
{
"lang": "es",
"value": "La versiones 2.2.1 y anteriores de ATutor, son vulnerables a una inyecci\u00f3n SQL en los componentes Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login y Gradebook, resultando en la divulgaci\u00f3n de informaci\u00f3n, modificaci\u00f3n de la base de datos o una potencial ejecuci\u00f3n de c\u00f3digo."
}
],
"id": "CVE-2017-1000004",
"lastModified": "2024-11-21T03:03:56.863",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T13:18:16.030",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
},
{
"source": "cve@mitre.org",
"tags": [
"Permissions Required"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99599"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-28 15:15
Modified
2025-02-18 21:15
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3379F338-0AB7-4ECE-B5C5-42DA74D9FD9A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter."
}
],
"id": "CVE-2023-27008",
"lastModified": "2025-02-18T21:15:15.000",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-03-28T15:15:06.973",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://plantplants213607121.wordpress.com/2023/02/16/atutor-2-2-1-cross-site-scripting-via-the-token-body-parameter/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://plantplants213607121.wordpress.com/2023/02/16/atutor-2-2-1-cross-site-scripting-via-the-token-body-parameter/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-08-17 22:15
Modified
2024-11-21 05:13
Severity ?
Summary
A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/ | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7DAE444F-3475-41BE-AB95-1EDBA4B9604F",
"versionEndIncluding": "2.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross site scripting (XSS) reflejado en el componente /header.tmpl.php de ATutor versi\u00f3n 2.2.4, permite a atacantes ejecutar scripts web o HTML arbitrario por medio de una carga \u00fatil dise\u00f1ada."
}
],
"id": "CVE-2020-23341",
"lastModified": "2024-11-21T05:13:45.950",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-08-17T22:15:08.010",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-01-31 05:44
Modified
2024-11-21 01:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 2.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) themes/default/tile_search/index.tmpl.php, (2) login.php, (3) search.php, (4) password_reminder.php, (5) login.php/jscripts/infusion, (6) login.php/mods/_standard/flowplayer, (7) browse.php/jscripts/infusion/framework/fss, (8) registration.php/themes/default/ie_styles.css, (9) about.php, or (10) themes/default/social/basic_profile.tmpl.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atutor | atutor | * | |
| atutor | atutor | 1.0 | |
| atutor | atutor | 1.2.1 | |
| atutor | atutor | 1.2.2 | |
| atutor | atutor | 1.3 | |
| atutor | atutor | 1.3.1 | |
| atutor | atutor | 1.3.2 | |
| atutor | atutor | 1.3.3 | |
| atutor | atutor | 1.4 | |
| atutor | atutor | 1.4.1 | |
| atutor | atutor | 1.4.2 | |
| atutor | atutor | 1.4.3 | |
| atutor | atutor | 1.5.1 | |
| atutor | atutor | 1.5.1 | |
| atutor | atutor | 1.5.1 | |
| atutor | atutor | 1.5.2 | |
| atutor | atutor | 1.5.3 | |
| atutor | atutor | 1.5.3 | |
| atutor | atutor | 1.5.3.1 | |
| atutor | atutor | 1.5.3.2 | |
| atutor | atutor | 1.5.4 | |
| atutor | atutor | 1.5.5 | |
| atutor | atutor | 1.6 | |
| atutor | atutor | 1.6.1 | |
| atutor | atutor | 1.6.1 | |
| atutor | atutor | 1.6.4 | |
| atutor | atutor | 2.0.1 | |
| atutor | atutor | 2.0.2 | |
| atutor | atutor | 2.0.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "288F80E7-988C-440C-A370-68382CF0BC24",
"versionEndIncluding": "2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1D4F1FB2-F35E-444F-8A7F-77C6FDCE9CC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FED293AE-94FD-444B-85A6-3ABCC7C97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "ECE4E6E1-0B9B-4EBE-8727-AD04E1BB5C02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "827CD64E-2E84-422A-A405-16FCB4E80863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CE05B757-B3B2-47DE-AFB6-073D5C639D07",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3D97A1FF-B3B4-406C-814A-F7504B9EE290",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1A3D3293-3761-46BE-B581-8B8447FB5059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "31C48DDB-B334-499A-9C1B-122D6942BD57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9E682277-2B37-4C0B-98F5-52A4427B8853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "341B04AA-926D-400E-9A47-D2F183E26AC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "05E50596-38A3-4C7A-9561-99950DA33A4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7BA98319-09F3-4AE9-AF14-B1BE424AB7DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.1:pl1:*:*:*:*:*:*",
"matchCriteriaId": "DD94D6E8-4DA1-48C9-8708-43D1BEDB6CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.1:pl2:*:*:*:*:*:*",
"matchCriteriaId": "0AD5C011-1B1C-4DC2-AA01-81B14EF2B8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1C60745C-ECC2-41AD-8795-6D274F269F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2765EAFB-6663-4F16-B285-6DA8D26E6CD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3849980E-F74A-4C85-B3A1-FECAF888546F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5B36A11-B728-468A-802E-A7C8362D154A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "189D9776-C554-4084-8C31-21935F83A416",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "54D08E87-E4BC-449F-93B6-D567926BCE84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "ADC1FDA3-8B9A-4293-974F-F07517F3581C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2E84A54D-D3E2-4B7C-809D-7719FD92ECD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BAA57CE3-7BE5-49D1-A7A3-0D415EB02533",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.6.1:pl1:*:*:*:*:*:*",
"matchCriteriaId": "B1AC00DE-4064-406A-B5EC-B85B15553B29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4DD19A48-FC2A-406C-8299-60E87269451F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6289C4AF-76E4-4194-A61D-2DDB39CF680E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "8132BFA5-6EA0-4158-84AC-4675FF91CF6E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "901A6503-01EB-45B1-897B-A30A49EE5014",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 2.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) themes/default/tile_search/index.tmpl.php, (2) login.php, (3) search.php, (4) password_reminder.php, (5) login.php/jscripts/infusion, (6) login.php/mods/_standard/flowplayer, (7) browse.php/jscripts/infusion/framework/fss, (8) registration.php/themes/default/ie_styles.css, (9) about.php, or (10) themes/default/social/basic_profile.tmpl.php."
},
{
"lang": "es",
"value": "M\u00faltiple cross-site scripting (XSS) en ATutor antes de v2.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del PATH_INFO para (1)themes/default/tile_search/index.tmpl.php, (2)login.php, (3)search.php, (4)password_reminder.php, (5)/login.php/jscripts/ infusi\u00f3n, (6)login.php/mods/_standard/flowplayer, (7)browse.php/jscripts/infusi\u00f3n/framework/temasabout.php fss, (8)registration.php/themes/default/ie_styles.css, (9)o(10)/default/social/basic_profile.tmpl.php."
}
],
"id": "CVE-2012-6528",
"lastModified": "2024-11-21T01:46:17.443",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-01-31T05:44:00.837",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0094.html"
},
{
"source": "cve@mitre.org",
"url": "http://atutor.ca/atutor/change_log.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/47597"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.darksecurity.de/advisories/2012/SSCHADV2012-002.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/51423"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72412"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-01/0094.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://atutor.ca/atutor/change_log.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/47597"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.darksecurity.de/advisories/2012/SSCHADV2012-002.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/51423"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72412"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-11 18:15
Modified
2024-11-21 02:21
Severity ?
Summary
confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6EAF9407-F583-4071-939E-6F65F744452C",
"versionEndIncluding": "2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter."
},
{
"lang": "es",
"value": "El archivo confirm.php en ATutor versiones 2.2 y anteriores, permite a atacantes remotos omitir la autenticaci\u00f3n y conseguir acceso como un usuario existente por medio del par\u00e1metro auto_login."
}
],
"id": "CVE-2014-9753",
"lastModified": "2024-11-21T02:21:35.647",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-11T18:15:16.277",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://karmainsecurity.com/KIS-2015-06"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/11"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://karmainsecurity.com/KIS-2015-06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/11"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-02-07 15:59
Modified
2024-11-21 02:48
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip file.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac | Patch, Vendor Advisory | |
| cve@mitre.org | https://packetstormsecurity.com/files/136109/ATutor-LMS-2.2.1-CSRF-Remote-Code-Execution.html | Exploit, Patch, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.exploit-db.com/exploits/39524/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/136109/ATutor-LMS-2.2.1-CSRF-Remote-Code-Execution.html | Exploit, Patch, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/39524/ |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "477E8516-CADE-4D79-85C3-E64736C03CA7",
"versionEndIncluding": "2.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip file."
},
{
"lang": "es",
"value": "Vulnerabilidad de CSRF en install_modules.php en ATutor en versiones anteriores a 2.2.2 permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios para peticiones que cargan archivos arbitrarios y ejecutan c\u00f3digo PHP arbitrario a trav\u00e9s de vectores que implican un archivo zip manipulado."
}
],
"id": "CVE-2016-2539",
"lastModified": "2024-11-21T02:48:39.140",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-02-07T15:59:00.257",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/136109/ATutor-LMS-2.2.1-CSRF-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/39524/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/136109/ATutor-LMS-2.2.1-CSRF-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/39524/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-02 17:55
Modified
2024-11-21 02:05
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title parameter in an add_forum action. NOTE: the original disclosure also reported issues that may not cross privilege boundaries.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E3FE4C18-726D-4751-8D92-CD4C814F1082",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title parameter in an add_forum action. NOTE: the original disclosure also reported issues that may not cross privilege boundaries."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en mods/_standard/forums/admin/forum_add.php en ATutor 2.1.1 permite a administradores remotos autenticados inyectar script Web o HTML arbitrarios a trav\u00e9s del par\u00e1metro title en un acci\u00f3n add_forum. NOTA: la divulgaci\u00f3n original tambi\u00e9n inform\u00f3 de problemas que pueden no cruzar l\u00edmites de privilegio."
}
],
"id": "CVE-2014-2091",
"lastModified": "2024-11-21T02:05:38.150",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-02T17:55:03.033",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/125348/ATutor-2.1.1-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/65744"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/125348/ATutor-2.1.1-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.securityfocus.com/bid/65744"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-03-02 16:15
Modified
2024-11-21 02:25
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DDF111DC-ED34-441F-87B3-C1799A9E589C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site request forgery (CSRF) en ATutor versi\u00f3n 2.2, permiten a atacantes remotos secuestrar la autenticaci\u00f3n de administradores para peticiones que (1) crean una cuenta de administrador por medio de una petici\u00f3n al archivo mods/_core/users/admins/create.php o (2 ) crea una cuenta de usuario mediante una petici\u00f3n al archivo mods/_core/users/create_user.php."
}
],
"id": "CVE-2015-1583",
"lastModified": "2024-11-21T02:25:42.733",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-03-02T16:15:11.300",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/72845"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/72845"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-17 13:18
Modified
2024-11-21 03:03
Severity ?
Summary
ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55 | Broken Link | |
| cve@mitre.org | http://www.atutor.ca/atutor/mantis/view.php?id=5681 | Broken Link | |
| cve@mitre.org | http://www.securityfocus.com/bid/99599 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.atutor.ca/atutor/mantis/view.php?id=5681 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99599 | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "477E8516-CADE-4D79-85C3-E64736C03CA7",
"versionEndIncluding": "2.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation."
},
{
"lang": "es",
"value": "ATutor en sus versiones 2.2.1 y anteriores es vulnerable a una verificaci\u00f3n de control de acceso incorrecta en el componente Social Application, lo que da como resultado un escalado de privilegios. ATutor en sus versiones 2.2.1 y anteriores es vulnerable a una verificaci\u00f3n de control de acceso incorrecta en el componente Module, lo que da como resultado un escalado de privilegios. ATutor en sus versiones 2.2.1 y anteriores es vulnerable a una verificaci\u00f3n de control de acceso incorrecta en el componente Alternative Content, lo que da como resultado un escalado de privilegios."
}
],
"id": "CVE-2017-1000003",
"lastModified": "2024-11-21T03:03:56.713",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T13:18:16.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99599"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-06-03 20:29
Modified
2024-11-21 04:22
Severity ?
Summary
ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56BA38F4-C256-4ADD-9A90-24E2D3BFE811",
"versionEndIncluding": "2.2.4",
"versionStartIncluding": "2.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a \"..\" pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component."
},
{
"lang": "es",
"value": "Un Tutor 2.2.4 permite la carga arbitraria de archivos y el recorrido de directorios, lo que da como resultado la ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de una ruta de \"..\" en un archivo ZIP a las modificaciones / _core / languages / language_import.php (tambi\u00e9n conocido como Import New Language) o mods / _standard /patcher/index_admin.php conocido como Patcher) componente."
}
],
"id": "CVE-2019-12169",
"lastModified": "2024-11-21T04:22:21.403",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-06-03T20:29:00.703",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"URL Repurposed"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/fuzzlove"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"URL Repurposed"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/fuzzlove"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-01-29 18:29
Modified
2024-11-21 04:47
Severity ?
Summary
A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/atutor/ATutor/issues/164 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/atutor/ATutor/issues/164 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7DAE444F-3475-41BE-AB95-1EDBA4B9604F",
"versionEndIncluding": "2.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php."
},
{
"lang": "es",
"value": "Existe autocross-Site Scripting (XSS) persistente en ATutor, hasta la versi\u00f3n v2.2.4, que permite a los atacantes ejecutar c\u00f3digo HTML o JavaScript en un campo \"Real Name\" vulnerable en /mods/_core/users/admins/my_edit.php."
}
],
"id": "CVE-2019-7172",
"lastModified": "2024-11-21T04:47:43.003",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-01-29T18:29:00.413",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/issues/164"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/issues/164"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-22 17:29
Modified
2024-11-21 02:43
Severity ?
Summary
Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2 | Third Party Advisory | |
| cve@mitre.org | https://www.htbridge.com/advisory/HTB23297 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.htbridge.com/advisory/HTB23297 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "477E8516-CADE-4D79-85C3-E64736C03CA7",
"versionEndIncluding": "2.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack."
},
{
"lang": "es",
"value": "Un salto de directorio se presenta en ATutor anterior a la versi\u00f3n 2.2.2 por medio del par\u00e1metro icon en archivo /mods/_core/courses/users/create_course.php. El atacante puede leer un archivo arbitrario mediante la visita a get_course_icon.php?id= despu\u00e9s del ataque de salto de directorio."
}
],
"id": "CVE-2016-10400",
"lastModified": "2024-11-21T02:43:55.583",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-22T17:29:00.177",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.htbridge.com/advisory/HTB23297"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.htbridge.com/advisory/HTB23297"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-02-19 21:44
Modified
2024-11-21 00:43
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in (a) forum post or (b) mail; or (2) the website field of the profile.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atutor | atutor | * | |
| atutor | atutor | 0.9.6 | |
| atutor | atutor | 0.9.7 | |
| atutor | atutor | 1.0 | |
| atutor | atutor | 1.2.1 | |
| atutor | atutor | 1.2.2 | |
| atutor | atutor | 1.3 | |
| atutor | atutor | 1.3.1 | |
| atutor | atutor | 1.3.2 | |
| atutor | atutor | 1.3.3 | |
| atutor | atutor | 1.4 | |
| atutor | atutor | 1.4.1 | |
| atutor | atutor | 1.4.2 | |
| atutor | atutor | 1.4.3 | |
| atutor | atutor | 1.5.1 | |
| atutor | atutor | 1.5.1 | |
| atutor | atutor | 1.5.1 | |
| atutor | atutor | 1.5.2 | |
| atutor | atutor | 1.5.3 | |
| atutor | atutor | 1.5.3 | |
| atutor | atutor | 1.5.3.1 | |
| atutor | atutor | 1.5.3.2 | |
| atutor | atutor | 1.5.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4A91B9E7-35E2-4EEF-9445-6FE85C6F882F",
"versionEndIncluding": "1.5.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:0.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "29578CEF-9EC3-4A3D-ADB0-528B7AFA592F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:0.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5F2D8D00-F509-49BB-8594-D0FD2C8A5011",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1D4F1FB2-F35E-444F-8A7F-77C6FDCE9CC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FED293AE-94FD-444B-85A6-3ABCC7C97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "ECE4E6E1-0B9B-4EBE-8727-AD04E1BB5C02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "827CD64E-2E84-422A-A405-16FCB4E80863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CE05B757-B3B2-47DE-AFB6-073D5C639D07",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3D97A1FF-B3B4-406C-814A-F7504B9EE290",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1A3D3293-3761-46BE-B581-8B8447FB5059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "31C48DDB-B334-499A-9C1B-122D6942BD57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9E682277-2B37-4C0B-98F5-52A4427B8853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "341B04AA-926D-400E-9A47-D2F183E26AC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "05E50596-38A3-4C7A-9561-99950DA33A4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7BA98319-09F3-4AE9-AF14-B1BE424AB7DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.1:pl1:*:*:*:*:*:*",
"matchCriteriaId": "DD94D6E8-4DA1-48C9-8708-43D1BEDB6CC7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.1:pl2:*:*:*:*:*:*",
"matchCriteriaId": "0AD5C011-1B1C-4DC2-AA01-81B14EF2B8E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1C60745C-ECC2-41AD-8795-6D274F269F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2765EAFB-6663-4F16-B285-6DA8D26E6CD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.3:rc2:*:*:*:*:*:*",
"matchCriteriaId": "3849980E-F74A-4C85-B3A1-FECAF888546F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5B36A11-B728-468A-802E-A7C8362D154A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "189D9776-C554-4084-8C31-21935F83A416",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "54D08E87-E4BC-449F-93B6-D567926BCE84",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in (a) forum post or (b) mail; or (2) the website field of the profile."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en ATutor versi\u00f3n 1.5.5 y anteriores, permiten a los atacantes remotos inyectar script web o HTML arbitrario por medio de (1) atributos como style y onmouseover en (a) forum post o (b) email ; o (2) el campo website del perfil."
}
],
"id": "CVE-2008-0828",
"lastModified": "2024-11-21T00:43:00.270",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2008-02-19T21:44:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29015"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/3670"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/488293/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/27855"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/29015"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/3670"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/488293/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.securityfocus.com/bid/27855"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-11-16 19:59
Modified
2024-11-21 02:21
Severity ?
Summary
Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a direct request to the file in content/.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6EAF9407-F583-4071-939E-6F65F744452C",
"versionEndIncluding": "2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a direct request to the file in content/."
},
{
"lang": "es",
"value": "Vulnerabilidad de carga de archivos sin restricciones en mods/_core/properties/lib/course.inc.php en ATutor en versiones anteriores a 2.2 patch 6 permite a usuarios remotos autenticados ejecutar c\u00f3digo PHP arbitrario mediante la subida de un archivo con extensi\u00f3n PHP como customicon para un nuevo curso, accediendo a \u00e9l entonces a trav\u00e9s de una petici\u00f3n directa al archivo en content/."
}
],
"evaluatorComment": "\u003ca href=\"http://cwe.mitre.org/data/definitions/434.html\"\u003eCWE-434: Unrestricted Upload of File with Dangerous Type\u003c/a\u003e",
"id": "CVE-2014-9752",
"lastModified": "2024-11-21T02:21:35.493",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-11-16T19:59:00.140",
"references": [
{
"source": "cve@mitre.org",
"url": "http://karmainsecurity.com/KIS-2015-05"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/134215/ATutor-2.2-File-Upload.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2015/Nov/10"
},
{
"source": "cve@mitre.org",
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/536834/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://karmainsecurity.com/KIS-2015-05"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/134215/ATutor-2.2-File-Upload.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2015/Nov/10"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/536834/100/0/threaded"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-05 20:59
Modified
2024-11-21 03:29
Severity ?
Summary
Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2.2.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (lang_code in themes/*/admin/system_preferences/language_edit.tmpl.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF908CFF-8192-462B-8966-C6FA918166F9",
"versionEndIncluding": "2.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2.2.2. The vulnerabilities exist due to insufficient filtration of user-supplied data passed to several pages (lang_code in themes/*/admin/system_preferences/language_edit.tmpl.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website."
},
{
"lang": "es",
"value": "M\u00faltiples problemas de XSS han sido descubiertos en ATutor 2.2.2. Las vulnerabilidades existen debido a filtraci\u00f3n insuficiente de datos suministrados por el usuario a varias p\u00e1ginas (lang_code en themes/*/admen /system_preferences/language_edit.tmpl.php). Un atacante podr\u00eda ejecutar c\u00f3digo HTML y scrip arbitrario en un navegador en el contexto del sitio web vulnerable."
}
],
"id": "CVE-2017-6483",
"lastModified": "2024-11-21T03:29:51.777",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-05T20:59:00.357",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/96578"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/atutor/ATutor/issues/129"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/96578"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/atutor/ATutor/issues/129"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2011-09-23 23:55
Modified
2024-11-21 01:31
Severity ?
Summary
ATutor 2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by users/tool_settings.inc.php and certain other files.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C0B62C05-AD84-4E97-A675-EBEFDDB7CAC6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ATutor 2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by users/tool_settings.inc.php and certain other files."
},
{
"lang": "es",
"value": "ATutor v2.0 permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de una petici\u00f3n directa a un archivo .php, lo que revela la ruta de instalaci\u00f3n en un mensaje de error, como se demostr\u00f3 con users/tool_settings.inc.php y algunos otros archivos."
}
],
"id": "CVE-2011-3706",
"lastModified": "2024-11-21T01:31:02.470",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-09-23T23:55:02.160",
"references": [
{
"source": "cve@mitre.org",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/ATutor-2.0"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/ATutor-2.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2011/06/27/6"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-04-22 11:29
Modified
2024-11-21 04:21
Severity ?
Summary
An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html | Exploit, Third Party Advisory | |
| cve@mitre.org | https://www.exploit-db.com/exploits/46691/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/46691/ | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7DAE444F-3475-41BE-AB95-1EDBA4B9604F",
"versionEndIncluding": "2.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml."
},
{
"lang": "es",
"value": "Un problema fue descubierto en ATutor por medio de la versi\u00f3n 2.2.4. Permite al usuario ejecutar comandos en el servidor con el privilegio de usuario maestro. La secci\u00f3n Upload Files en el espacio Administrador de archivos contiene una vulnerabilidad de carga de archivos arbitraria por medio de upload.php. El valor de $IllegalExtensions solo lista en min\u00fasculas (y, por lo tanto, .phP es un bypass), y omits .shtml y .phtml."
}
],
"id": "CVE-2019-11446",
"lastModified": "2024-11-21T04:21:05.707",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-04-22T11:29:06.017",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46691/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/46691/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-04-08 19:15
Modified
2024-11-21 06:29
Severity ?
Summary
An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/atutor/ATutor/blob/master/password_reminder.php | Exploit, Third Party Advisory | |
| cve@mitre.org | https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/atutor/ATutor/blob/master/password_reminder.php | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FD36A316-4F77-4079-A649-9F3328325E67",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set."
},
{
"lang": "es",
"value": "Se presenta una vulnerabilidad de control de acceso en ATutor versi\u00f3n 2.2.4 en el archivo password_reminder.php cuando son establecidos los par\u00e1metros g, id, h, form_password_hidden y form_change HTTP POST"
}
],
"id": "CVE-2021-43498",
"lastModified": "2024-11-21T06:29:19.367",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-08T19:15:07.730",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-640"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2010-03-16 19:00
Modified
2024-11-21 01:13
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in tools/groups/create_manual.php, and the (5) Title field in assignments/add_assignment.php. NOTE: some of these details are obtained from third party information.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:1.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4DD19A48-FC2A-406C-8299-60E87269451F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in tools/groups/create_manual.php, and the (5) Title field in assignments/add_assignment.php. NOTE: some of these details are obtained from third party information."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en ATutor v1.6.4 permite a usuarios autentificados remotamente, con privilegios de Instructor, inyectar c\u00f3digo web o HTML de su elecci\u00f3n a trav\u00e9s de los campos (1) Question y(2) Choice en tools/polls/add.php, los campos(3) Type y (4) Title en tools/groups/create_manual.php; y el campo (5) Title en assignments/add_assignment.php"
}
],
"id": "CVE-2010-0971",
"lastModified": "2024-11-21T01:13:19.570",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2010-03-16T19:00:00.680",
"references": [
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/62904"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/62905"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/62906"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/1003-exploits/atutor-xss.txt"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38906"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/11685"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/38656"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56852"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/62904"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/62905"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/62906"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.org/1003-exploits/atutor-xss.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/38906"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/11685"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/38656"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/56852"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-17 13:18
Modified
2024-11-21 03:03
Severity ?
Summary
ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal vulnerability in the Course Icon component resulting in information disclosure.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55 | Vendor Advisory | |
| cve@mitre.org | http://www.atutor.ca/atutor/mantis/view.php?id=5681 | Permissions Required | |
| cve@mitre.org | http://www.securityfocus.com/bid/99599 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.atutor.ca/atutor/mantis/view.php?id=5681 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99599 | Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "477E8516-CADE-4D79-85C3-E64736C03CA7",
"versionEndIncluding": "2.2.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal vulnerability in the Course Icon component resulting in information disclosure."
},
{
"lang": "es",
"value": "La versiones 2.2.1 y anteriores de ATutor, son vulnerables a una omisi\u00f3n de comprobaci\u00f3n de la extensi\u00f3n de archivo y el salto de directorio en el componente Course resultando en la ejecuci\u00f3n de c\u00f3digo. ATutor versiones 2.2.1 y anteriores, son susceptibles a una vulnerabilidad de salto de directorio en el componente Course Icon resultando en la divulgaci\u00f3n de informaci\u00f3n."
}
],
"id": "CVE-2017-1000002",
"lastModified": "2024-11-21T03:03:56.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T13:18:15.970",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
},
{
"source": "cve@mitre.org",
"tags": [
"Permissions Required"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99599"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-08-31 22:29
Modified
2024-11-21 02:37
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://karmainsecurity.com/KIS-2015-07 | Exploit, Third Party Advisory | |
| cve@mitre.org | http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | http://seclists.org/fulldisclosure/2015/Nov/12 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/archive/1/536837/100/0/threaded | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://karmainsecurity.com/KIS-2015-07 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2015/Nov/12 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/536837/100/0/threaded | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6EAF9407-F583-4071-939E-6F65F744452C",
"versionEndIncluding": "2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en popuphelp.php en ATutor 2.2 y anteriores que permite que los atacantes remotos inyecten scripts web o HTML arbitrarios mediante el par\u00e1metro h."
}
],
"id": "CVE-2015-7711",
"lastModified": "2024-11-21T02:37:16.390",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-08-31T22:29:00.467",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://karmainsecurity.com/KIS-2015-07"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/12"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/536837/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://karmainsecurity.com/KIS-2015-07"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/archive/1/536837/100/0/threaded"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-11-16 19:59
Modified
2024-11-21 02:37
Severity ?
Summary
Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary PHP code via the (1) asc or (2) desc parameter.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6EAF9407-F583-4071-939E-6F65F744452C",
"versionEndIncluding": "2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary PHP code via the (1) asc or (2) desc parameter."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de inyecci\u00f3n eval en mods/_standard/gradebook/edit_marks.php en ATutor 2.2 y versiones anteriores permite a usuarios remotos autenticados con el privilegio AT_PRIV_GRADEBOOK ejecutar c\u00f3digo PHP arbitrario a trav\u00e9s del par\u00e1metro (1) asc o (2) desc."
}
],
"evaluatorComment": "\u003ca href=\"https://cwe.mitre.org/data/definitions/95.html\"\u003eCWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)\u003c/a\u003e",
"id": "CVE-2015-7712",
"lastModified": "2024-11-21T02:37:16.550",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-11-16T19:59:02.847",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://karmainsecurity.com/KIS-2015-08"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/134218/ATutor-2.2-PHP-Code-Injection.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/13"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/536836/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://karmainsecurity.com/KIS-2015-08"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/134218/ATutor-2.2-PHP-Code-Injection.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/536836/100/0/threaded"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2008-07-30 17:41
Modified
2024-11-21 00:49
Severity ?
Summary
PHP remote file inclusion vulnerability in tools/packages/import.php in ATutor 1.6.1 pl1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via a URL in the type parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| atutor | atutor | * | |
| atutor | atutor | 0.9.6 | |
| atutor | atutor | 0.9.7 | |
| atutor | atutor | 1.0 | |
| atutor | atutor | 1.2.1 | |
| atutor | atutor | 1.2.2 | |
| atutor | atutor | 1.3 | |
| atutor | atutor | 1.3.1 | |
| atutor | atutor | 1.3.2 | |
| atutor | atutor | 1.3.3 | |
| atutor | atutor | 1.4 | |
| atutor | atutor | 1.4.1 | |
| atutor | atutor | 1.4.2 | |
| atutor | atutor | 1.4.3 | |
| atutor | atutor | 1.5.1 | |
| atutor | atutor | 1.5.2 | |
| atutor | atutor | 1.5.3 | |
| atutor | atutor | 1.5.3.1 | |
| atutor | atutor | 1.5.3.2 | |
| atutor | atutor | 1.5.4 | |
| atutor | atutor | 1.5.5 | |
| atutor | atutor | 1.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:pl1:*:*:*:*:*:*",
"matchCriteriaId": "5646E7ED-B82B-4D6E-B9B9-E75299A35B39",
"versionEndIncluding": "1.6.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:0.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "29578CEF-9EC3-4A3D-ADB0-528B7AFA592F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:0.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "5F2D8D00-F509-49BB-8594-D0FD2C8A5011",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1D4F1FB2-F35E-444F-8A7F-77C6FDCE9CC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FED293AE-94FD-444B-85A6-3ABCC7C97654",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "ECE4E6E1-0B9B-4EBE-8727-AD04E1BB5C02",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "827CD64E-2E84-422A-A405-16FCB4E80863",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CE05B757-B3B2-47DE-AFB6-073D5C639D07",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3D97A1FF-B3B4-406C-814A-F7504B9EE290",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "1A3D3293-3761-46BE-B581-8B8447FB5059",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "31C48DDB-B334-499A-9C1B-122D6942BD57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9E682277-2B37-4C0B-98F5-52A4427B8853",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "341B04AA-926D-400E-9A47-D2F183E26AC9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "05E50596-38A3-4C7A-9561-99950DA33A4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7BA98319-09F3-4AE9-AF14-B1BE424AB7DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1C60745C-ECC2-41AD-8795-6D274F269F85",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "2765EAFB-6663-4F16-B285-6DA8D26E6CD0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "D5B36A11-B728-468A-802E-A7C8362D154A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "189D9776-C554-4084-8C31-21935F83A416",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "54D08E87-E4BC-449F-93B6-D567926BCE84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "ADC1FDA3-8B9A-4293-974F-F07517F3581C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:atutor:atutor:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "2E84A54D-D3E2-4B7C-809D-7719FD92ECD0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHP remote file inclusion vulnerability in tools/packages/import.php in ATutor 1.6.1 pl1 and earlier allows remote authenticated administrators to execute arbitrary PHP code via a URL in the type parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inclusi\u00f3n remota de archivo PHP en tools/packages/import.php en ATutor 1.6.1 pl1 y anteriores, permite a administradores autenticados remotamente ejecutar c\u00f3digo PHP a trav\u00e9s de una URL en el par\u00e1metro \"type\"."
}
],
"id": "CVE-2008-3368",
"lastModified": "2024-11-21T00:49:05.013",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": true,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2008-07-30T17:41:00.000",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31274"
},
{
"source": "cve@mitre.org",
"url": "http://securityreason.com/securityalert/4064"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/30412"
},
{
"source": "cve@mitre.org",
"url": "http://www.vupen.com/english/advisories/2008/2206/references"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44051"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/6153"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/31274"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securityreason.com/securityalert/4064"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/30412"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.vupen.com/english/advisories/2008/2206/references"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44051"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/6153"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-05-17 22:29
Modified
2024-11-21 04:22
Severity ?
Summary
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/ | Exploit, Third Party Advisory, URL Repurposed | |
| cve@mitre.org | http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html | ||
| cve@mitre.org | https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/ | Exploit, Third Party Advisory, URL Repurposed | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7DAE444F-3475-41BE-AB95-1EDBA4B9604F",
"versionEndIncluding": "2.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server."
},
{
"lang": "es",
"value": "ATutor hasta 2.2.4 es vulnerable a cargas de archivos arbitrarios a trav\u00e9s del componente mods / _core / backups / upload.php (tambi\u00e9n conocido como backup). Esto puede resultar en la ejecuci\u00f3n remota de comandos. Un atacante puede usar la cuenta del instructor para comprometer completamente el sistema utilizando un archivo ZIP de copia de seguridad dise\u00f1ado. Esto permitir\u00e1 que los archivos PHP se escriban en la ra\u00edz web y que el c\u00f3digo se ejecute en el servidor remoto."
}
],
"id": "CVE-2019-12170",
"lastModified": "2024-11-21T04:22:21.557",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-05-17T22:29:00.453",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"URL Repurposed"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"URL Repurposed"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-03 01:29
Modified
2024-11-21 03:13
Severity ?
Summary
Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090 | Third Party Advisory | |
| cve@mitre.org | https://github.com/atutor/ATutor/issues/135 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/atutor/ATutor/issues/135 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FF908CFF-8192-462B-8966-C6FA918166F9",
"versionEndIncluding": "2.2.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de tipo Cross-Site Scripting (XSS) en ATutor en versiones anteriores a la 2.2.3. Esta vulnerabilidad existe debido a un filtrado de datos insuficiente (url en /mods/_standard/rss_feeds/edit_feed.php). Un atacante podr\u00eda inyectar c\u00f3digo HTML y script arbitrario en un navegador en el contexto del sitio web vulnerable."
}
],
"id": "CVE-2017-14981",
"lastModified": "2024-11-21T03:13:53.590",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-03T01:29:02.763",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/issues/135"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/issues/135"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-04-13 14:59
Modified
2024-11-21 02:48
Severity ?
Summary
SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3379F338-0AB7-4ECE-B5C5-42DA74D9FD9A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php."
},
{
"lang": "es",
"value": "La vulnerabilidad de inyecci\u00f3n de SQL en include/lib/mysql_connect.inc.php en ATutor 2.2.1 permite a atacantes remotos ejecutar comandos SQL arbitrarios a trav\u00e9s de la funci\u00f3n searchFriends a friends.inc.php."
}
],
"id": "CVE-2016-2555",
"lastModified": "2024-11-21T02:48:41.173",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-04-13T14:59:01.637",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"URL Repurposed"
],
"url": "http://sourceincite.com/research/src-2016-08/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.rapid7.com/db/modules/exploit/multi/http/atutor_sqli"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/629b2c992447f7670a2fecc484abfad8c4c2d298"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/945a9dca01def8536516088da30fe6a4b7e9fa85"
},
{
"source": "cve@mitre.org",
"url": "https://www.exploit-db.com/exploits/39514/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"URL Repurposed"
],
"url": "http://sourceincite.com/research/src-2016-08/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.rapid7.com/db/modules/exploit/multi/http/atutor_sqli"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/629b2c992447f7670a2fecc484abfad8c4c2d298"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/commit/945a9dca01def8536516088da30fe6a4b7e9fa85"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.exploit-db.com/exploits/39514/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-10-10 16:29
Modified
2024-11-21 02:35
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2015/08/19/1 | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://github.com/atutor/ATutor/issues/103 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2015/08/19/1 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/atutor/ATutor/issues/103 | Exploit, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:atutor:atutor:2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "DDF111DC-ED34-441F-87B3-C1799A9E589C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de Cross-Site Scripting (XSS) en ATutor LMS 2.2."
}
],
"id": "CVE-2015-6521",
"lastModified": "2024-11-21T02:35:08.987",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-10-10T16:29:00.370",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/19/1"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/issues/103"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/19/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/atutor/ATutor/issues/103"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}