In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.
Max CVSS
9.8
EPSS Score
1.57%
Published
2019-09-09
Updated
2020-08-24
CVE-2019-12169
Public exploit
ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.
Max CVSS
8.8
EPSS Score
78.35%
Published
2019-06-03
Updated
2022-04-22
2 vulnerabilities found