Search criteria
56 vulnerabilities found for atutor by atutor
CVE-2023-27008 (GCVE-0-2023-27008)
Vulnerability from nvd – Published: 2023-03-28 00:00 – Updated: 2025-02-18 20:18
VLAI?
Summary
A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:01:31.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://plantplants213607121.wordpress.com/2023/02/16/atutor-2-2-1-cross-site-scripting-via-the-token-body-parameter/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27008",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T20:17:31.351746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T20:18:14.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://plantplants213607121.wordpress.com/2023/02/16/atutor-2-2-1-cross-site-scripting-via-the-token-body-parameter/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-27008",
"datePublished": "2023-03-28T00:00:00.000Z",
"dateReserved": "2023-02-27T00:00:00.000Z",
"dateUpdated": "2025-02-18T20:18:14.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43498 (GCVE-0-2021-43498)
Vulnerability from nvd – Published: 2022-04-08 18:06 – Updated: 2024-08-04 03:55
VLAI?
Summary
An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:29.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-08T18:06:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43498",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
},
{
"name": "https://github.com/atutor/ATutor/blob/master/password_reminder.php",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43498",
"datePublished": "2022-04-08T18:06:02",
"dateReserved": "2021-11-08T00:00:00",
"dateUpdated": "2024-08-04T03:55:29.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23341 (GCVE-0-2020-23341)
Vulnerability from nvd – Published: 2021-08-17 21:45 – Updated: 2024-08-04 14:58
VLAI?
Summary
A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:15.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-17T21:45:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23341",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/",
"refsource": "MISC",
"url": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23341",
"datePublished": "2021-08-17T21:45:59",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:15.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1583 (GCVE-0-2015-1583)
Vulnerability from nvd – Published: 2020-03-02 15:50 – Updated: 2024-08-06 04:47
VLAI?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:47:17.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html"
},
{
"name": "72845",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72845"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-02T15:50:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html"
},
{
"name": "72845",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72845"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1583",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html"
},
{
"name": "72845",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72845"
},
{
"name": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18"
},
{
"name": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce"
},
{
"name": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419"
},
{
"name": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/",
"refsource": "MISC",
"url": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1583",
"datePublished": "2020-03-02T15:50:35",
"dateReserved": "2015-02-11T00:00:00",
"dateUpdated": "2024-08-06T04:47:17.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9753 (GCVE-0-2014-9753)
Vulnerability from nvd – Published: 2020-02-11 17:51 – Updated: 2024-08-06 13:55
VLAI?
Summary
confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:55:04.520Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2015-06"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-11T17:51:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2015-06"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9753",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://karmainsecurity.com/KIS-2015-06",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2015-06"
},
{
"name": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded",
"refsource": "MISC",
"url": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded"
},
{
"name": "http://seclists.org/fulldisclosure/2015/Nov/11",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2015/Nov/11"
},
{
"name": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml",
"refsource": "MISC",
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"name": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9753",
"datePublished": "2020-02-11T17:51:14",
"dateReserved": "2015-10-05T00:00:00",
"dateUpdated": "2024-08-06T13:55:04.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16114 (GCVE-0-2019-16114)
Vulnerability from nvd – Published: 2019-09-09 12:15 – Updated: 2024-08-05 01:03
VLAI?
Summary
In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:03:32.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commits/master"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-09T12:15:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/commits/master"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16114",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/commits/master",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/commits/master"
},
{
"name": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md",
"refsource": "MISC",
"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16114",
"datePublished": "2019-09-09T12:15:29",
"dateReserved": "2019-09-08T00:00:00",
"dateUpdated": "2024-08-05T01:03:32.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12169 (GCVE-0-2019-12169)
Vulnerability from nvd – Published: 2019-06-03 20:00 – Updated: 2024-08-04 23:10
VLAI?
Summary
ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:30.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fuzzlove"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a \"..\" pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-30T19:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fuzzlove"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12169",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a \"..\" pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fuzzlove",
"refsource": "MISC",
"url": "https://github.com/fuzzlove"
},
{
"name": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit",
"refsource": "MISC",
"url": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"
},
{
"name": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/",
"refsource": "MISC",
"url": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"
},
{
"name": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12169",
"datePublished": "2019-06-03T20:00:28",
"dateReserved": "2019-05-17T00:00:00",
"dateUpdated": "2024-08-04T23:10:30.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12170 (GCVE-0-2019-12170)
Vulnerability from nvd – Published: 2019-05-17 21:52 – Updated: 2024-08-04 23:10
VLAI?
Summary
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:30.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-05T22:06:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12170",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File",
"refsource": "MISC",
"url": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File"
},
{
"name": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/",
"refsource": "MISC",
"url": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/"
},
{
"name": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12170",
"datePublished": "2019-05-17T21:52:18",
"dateReserved": "2019-05-17T00:00:00",
"dateUpdated": "2024-08-04T23:10:30.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11446 (GCVE-0-2019-11446)
Vulnerability from nvd – Published: 2019-04-22 04:01 – Updated: 2024-08-04 22:55
VLAI?
Summary
An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:39.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "46691",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46691/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-24T15:13:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "46691",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/46691/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11446",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "46691",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/46691/"
},
{
"name": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html",
"refsource": "MISC",
"url": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11446",
"datePublished": "2019-04-22T04:01:09",
"dateReserved": "2019-04-21T00:00:00",
"dateUpdated": "2024-08-04T22:55:39.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-7172 (GCVE-0-2019-7172)
Vulnerability from nvd – Published: 2019-01-29 18:00 – Updated: 2024-09-17 01:12
VLAI?
Summary
A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:38:33.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/issues/164"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-29T18:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/issues/164"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-7172",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/issues/164",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/issues/164"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-7172",
"datePublished": "2019-01-29T18:00:00Z",
"dateReserved": "2019-01-29T00:00:00Z",
"dateUpdated": "2024-09-17T01:12:11.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6521 (GCVE-0-2015-6521)
Vulnerability from nvd – Published: 2017-10-10 16:00 – Updated: 2024-08-06 07:22
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:22:22.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/issues/103"
},
{
"name": "[oss-security] 20150818 Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/19/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/issues/103"
},
{
"name": "[oss-security] 20150818 Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/19/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6521",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/issues/103",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/issues/103"
},
{
"name": "[oss-security] 20150818 Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/08/19/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6521",
"datePublished": "2017-10-10T16:00:00",
"dateReserved": "2015-08-18T00:00:00",
"dateUpdated": "2024-08-06T07:22:22.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-14981 (GCVE-0-2017-14981)
Vulnerability from nvd – Published: 2017-10-02 01:00 – Updated: 2024-09-17 00:06
VLAI?
Summary
Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:42:22.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/issues/135"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T01:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/issues/135"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14981",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/issues/135",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/issues/135"
},
{
"name": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14981",
"datePublished": "2017-10-02T01:00:00Z",
"dateReserved": "2017-10-01T00:00:00Z",
"dateUpdated": "2024-09-17T00:06:38.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7711 (GCVE-0-2015-7711)
Vulnerability from nvd – Published: 2017-08-31 22:00 – Updated: 2024-08-06 07:58
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:58:59.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/12"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2015-07"
},
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536837/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/12"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2015-07"
},
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536837/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7711",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Nov/12"
},
{
"name": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html"
},
{
"name": "http://karmainsecurity.com/KIS-2015-07",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2015-07"
},
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536837/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7711",
"datePublished": "2017-08-31T22:00:00",
"dateReserved": "2015-10-05T00:00:00",
"dateUpdated": "2024-08-06T07:58:59.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10400 (GCVE-0-2016-10400)
Vulnerability from nvd – Published: 2017-07-22 17:00 – Updated: 2024-09-16 20:58
VLAI?
Summary
Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:51.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23297"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-22T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23297"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10400",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.htbridge.com/advisory/HTB23297",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23297"
},
{
"name": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10400",
"datePublished": "2017-07-22T17:00:00Z",
"dateReserved": "2017-07-22T00:00:00Z",
"dateUpdated": "2024-09-16T20:58:58.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-1000004 (GCVE-0-2017-1000004)
Vulnerability from nvd – Published: 2017-07-13 20:00 – Updated: 2024-08-05 21:45
VLAI?
Summary
ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:25.963Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99599",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-19T11:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "99599",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-1000004",
"REQUESTER": "mattd@bugfuzz.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99599",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99599"
},
{
"name": "http://www.atutor.ca/atutor/mantis/view.php?id=5681",
"refsource": "CONFIRM",
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"name": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55",
"refsource": "CONFIRM",
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-1000004",
"datePublished": "2017-07-13T20:00:00",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-08-05T21:45:25.963Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-1000003 (GCVE-0-2017-1000003)
Vulnerability from nvd – Published: 2017-07-13 20:00 – Updated: 2024-08-05 21:45
VLAI?
Summary
ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:45:26.165Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "99599",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-26T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "99599",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99599"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-1000003",
"REQUESTER": "mattd@bugfuzz.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "99599",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99599"
},
{
"name": "http://www.atutor.ca/atutor/mantis/view.php?id=5681",
"refsource": "CONFIRM",
"url": "http://www.atutor.ca/atutor/mantis/view.php?id=5681"
},
{
"name": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55",
"refsource": "CONFIRM",
"url": "http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-1000003",
"datePublished": "2017-07-13T20:00:00",
"dateReserved": "2017-07-10T00:00:00",
"dateUpdated": "2024-08-05T21:45:26.165Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27008 (GCVE-0-2023-27008)
Vulnerability from cvelistv5 – Published: 2023-03-28 00:00 – Updated: 2025-02-18 20:18
VLAI?
Summary
A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:01:31.892Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://plantplants213607121.wordpress.com/2023/02/16/atutor-2-2-1-cross-site-scripting-via-the-token-body-parameter/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27008",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T20:17:31.351746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T20:18:14.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-28T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://plantplants213607121.wordpress.com/2023/02/16/atutor-2-2-1-cross-site-scripting-via-the-token-body-parameter/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-27008",
"datePublished": "2023-03-28T00:00:00.000Z",
"dateReserved": "2023-02-27T00:00:00.000Z",
"dateUpdated": "2025-02-18T20:18:14.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-43498 (GCVE-0-2021-43498)
Vulnerability from cvelistv5 – Published: 2022-04-08 18:06 – Updated: 2024-08-04 03:55
VLAI?
Summary
An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T03:55:29.266Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-08T18:06:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-43498",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html"
},
{
"name": "https://github.com/atutor/ATutor/blob/master/password_reminder.php",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/blob/master/password_reminder.php"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-43498",
"datePublished": "2022-04-08T18:06:02",
"dateReserved": "2021-11-08T00:00:00",
"dateUpdated": "2024-08-04T03:55:29.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-23341 (GCVE-0-2020-23341)
Vulnerability from cvelistv5 – Published: 2021-08-17 21:45 – Updated: 2024-08-04 14:58
VLAI?
Summary
A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T14:58:15.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-08-17T21:45:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-23341",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/",
"refsource": "MISC",
"url": "https://minhtuanact.github.io/post/reflected-xss-in-atutor-2.2.4/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-23341",
"datePublished": "2021-08-17T21:45:59",
"dateReserved": "2020-08-13T00:00:00",
"dateUpdated": "2024-08-04T14:58:15.126Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-1583 (GCVE-0-2015-1583)
Vulnerability from cvelistv5 – Published: 2020-03-02 15:50 – Updated: 2024-08-06 04:47
VLAI?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T04:47:17.346Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html"
},
{
"name": "72845",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/72845"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-02-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-02T15:50:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html"
},
{
"name": "72845",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/72845"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-1583",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account via a request to mods/_core/users/create_user.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html"
},
{
"name": "72845",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/72845"
},
{
"name": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18"
},
{
"name": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce"
},
{
"name": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419"
},
{
"name": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/",
"refsource": "MISC",
"url": "https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-1583",
"datePublished": "2020-03-02T15:50:35",
"dateReserved": "2015-02-11T00:00:00",
"dateUpdated": "2024-08-06T04:47:17.346Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9753 (GCVE-0-2014-9753)
Vulnerability from cvelistv5 – Published: 2020-02-11 17:51 – Updated: 2024-08-06 13:55
VLAI?
Summary
confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:55:04.520Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2015-06"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/11"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-11T17:51:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2015-06"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/11"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9753",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://karmainsecurity.com/KIS-2015-06",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2015-06"
},
{
"name": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded",
"refsource": "MISC",
"url": "http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded"
},
{
"name": "http://seclists.org/fulldisclosure/2015/Nov/11",
"refsource": "MISC",
"url": "http://seclists.org/fulldisclosure/2015/Nov/11"
},
{
"name": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml",
"refsource": "MISC",
"url": "http://update.atutor.ca/patch/2_2/2_2-6/patch.xml"
},
{
"name": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9753",
"datePublished": "2020-02-11T17:51:14",
"dateReserved": "2015-10-05T00:00:00",
"dateUpdated": "2024-08-06T13:55:04.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16114 (GCVE-0-2019-16114)
Vulnerability from cvelistv5 – Published: 2019-09-09 12:15 – Updated: 2024-08-05 01:03
VLAI?
Summary
In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:03:32.778Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commits/master"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-09T12:15:29",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/commits/master"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16114",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/commits/master",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/commits/master"
},
{
"name": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md",
"refsource": "MISC",
"url": "https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16114",
"datePublished": "2019-09-09T12:15:29",
"dateReserved": "2019-09-08T00:00:00",
"dateUpdated": "2024-08-05T01:03:32.778Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12169 (GCVE-0-2019-12169)
Vulnerability from cvelistv5 – Published: 2019-06-03 20:00 – Updated: 2024-08-04 23:10
VLAI?
Summary
ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:30.825Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fuzzlove"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a \"..\" pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-06-30T19:06:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fuzzlove"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12169",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a \"..\" pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fuzzlove",
"refsource": "MISC",
"url": "https://github.com/fuzzlove"
},
{
"name": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit",
"refsource": "MISC",
"url": "https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"
},
{
"name": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/",
"refsource": "MISC",
"url": "http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"
},
{
"name": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"
},
{
"name": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12169",
"datePublished": "2019-06-03T20:00:28",
"dateReserved": "2019-05-17T00:00:00",
"dateUpdated": "2024-08-04T23:10:30.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-12170 (GCVE-0-2019-12170)
Vulnerability from cvelistv5 – Published: 2019-05-17 21:52 – Updated: 2024-08-04 23:10
VLAI?
Summary
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T23:10:30.829Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-08-05T22:06:04",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-12170",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File",
"refsource": "MISC",
"url": "https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File"
},
{
"name": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/",
"refsource": "MISC",
"url": "http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/"
},
{
"name": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-12170",
"datePublished": "2019-05-17T21:52:18",
"dateReserved": "2019-05-17T00:00:00",
"dateUpdated": "2024-08-04T23:10:30.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11446 (GCVE-0-2019-11446)
Vulnerability from cvelistv5 – Published: 2019-04-22 04:01 – Updated: 2024-08-04 22:55
VLAI?
Summary
An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:55:39.688Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "46691",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/46691/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-04-24T15:13:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "46691",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/46691/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-11446",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "46691",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/46691/"
},
{
"name": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html",
"refsource": "MISC",
"url": "http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-11446",
"datePublished": "2019-04-22T04:01:09",
"dateReserved": "2019-04-21T00:00:00",
"dateUpdated": "2024-08-04T22:55:39.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-7172 (GCVE-0-2019-7172)
Vulnerability from cvelistv5 – Published: 2019-01-29 18:00 – Updated: 2024-09-17 01:12
VLAI?
Summary
A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:38:33.479Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/issues/164"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-01-29T18:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/issues/164"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-7172",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/issues/164",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/issues/164"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-7172",
"datePublished": "2019-01-29T18:00:00Z",
"dateReserved": "2019-01-29T00:00:00Z",
"dateUpdated": "2024-09-17T01:12:11.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-6521 (GCVE-0-2015-6521)
Vulnerability from cvelistv5 – Published: 2017-10-10 16:00 – Updated: 2024-08-06 07:22
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:22:22.263Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/issues/103"
},
{
"name": "[oss-security] 20150818 Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/19/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-10T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/issues/103"
},
{
"name": "[oss-security] 20150818 Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2015/08/19/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-6521",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/issues/103",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/issues/103"
},
{
"name": "[oss-security] 20150818 Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/08/19/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-6521",
"datePublished": "2017-10-10T16:00:00",
"dateReserved": "2015-08-18T00:00:00",
"dateUpdated": "2024-08-06T07:22:22.263Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-14981 (GCVE-0-2017-14981)
Vulnerability from cvelistv5 – Published: 2017-10-02 01:00 – Updated: 2024-09-17 00:06
VLAI?
Summary
Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T19:42:22.437Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/issues/135"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-10-02T01:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/issues/135"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-14981",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. The vulnerability exists due to insufficient filtration of data (url in /mods/_standard/rss_feeds/edit_feed.php). An attacker could inject arbitrary HTML and script code into a browser in the context of the vulnerable website."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/atutor/ATutor/issues/135",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/issues/135"
},
{
"name": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090",
"refsource": "CONFIRM",
"url": "https://github.com/atutor/ATutor/commit/9292360c8b3898d0990983269f110cef21729090"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-14981",
"datePublished": "2017-10-02T01:00:00Z",
"dateReserved": "2017-10-01T00:00:00Z",
"dateUpdated": "2024-09-17T00:06:38.894Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7711 (GCVE-0-2015-7711)
Vulnerability from cvelistv5 – Published: 2017-08-31 22:00 – Updated: 2024-08-06 07:58
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:58:59.974Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/12"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://karmainsecurity.com/KIS-2015-07"
},
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/536837/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-11-04T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2015/Nov/12"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://karmainsecurity.com/KIS-2015-07"
},
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/536837/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7711",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2015/Nov/12"
},
{
"name": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/134217/ATutor-2.2-Cross-Site-Scripting.html"
},
{
"name": "http://karmainsecurity.com/KIS-2015-07",
"refsource": "MISC",
"url": "http://karmainsecurity.com/KIS-2015-07"
},
{
"name": "20151104 [KIS-2015-07] ATutor \u003c= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/536837/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7711",
"datePublished": "2017-08-31T22:00:00",
"dateReserved": "2015-10-05T00:00:00",
"dateUpdated": "2024-08-06T07:58:59.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-10400 (GCVE-0-2016-10400)
Vulnerability from cvelistv5 – Published: 2017-07-22 17:00 – Updated: 2024-09-16 20:58
VLAI?
Summary
Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T03:21:51.774Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.htbridge.com/advisory/HTB23297"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-22T17:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.htbridge.com/advisory/HTB23297"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-10400",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.htbridge.com/advisory/HTB23297",
"refsource": "MISC",
"url": "https://www.htbridge.com/advisory/HTB23297"
},
{
"name": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2",
"refsource": "MISC",
"url": "https://github.com/atutor/ATutor/releases/tag/atutor_2_2_2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-10400",
"datePublished": "2017-07-22T17:00:00Z",
"dateReserved": "2017-07-22T00:00:00Z",
"dateUpdated": "2024-09-16T20:58:58.691Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}