Skip to main content

Atutor CVE-2017-1000002

CRITICAL
Path Traversal (CWE-22)
2017-07-17 cve@mitre.org
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 17, 2017 - 13:18 cve.org
CRITICAL 9.8

DescriptionCVE.org

ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal vulnerability in the Course Icon component resulting in information disclosure.

AnalysisAI

ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 60.2%.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal vulnerability in the Course Icon component resulting in information disclosure. Affected products include: Atutor.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

More in Atutor

View all
CVE-2016-2555 CRITICAL POC
9.8 Apr 13

SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbi

CVE-2019-12169 HIGH POC
8.8 Jun 03

ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathnam

CVE-2019-16114 CRITICAL POC
9.8 Sep 09

In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted databas

CVE-2016-2539 HIGH POC
8.8 Feb 07

Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to

CVE-2019-12170 HIGH POC
8.8 May 17

ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) componen

CVE-2019-11446 HIGH POC
8.8 Apr 22

An issue was discovered in ATutor through 2.2.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita

CVE-2016-10400 HIGH POC
7.5 Jul 22

Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php.

CVE-2015-7712 MEDIUM POC
6.5 Nov 16

Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remot

CVE-2015-7711 MEDIUM POC
6.1 Aug 31

Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject ar

CVE-2017-1000004 CRITICAL
9.8 Jul 17

ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog,

CVE-2017-6483 MEDIUM POC
6.1 Mar 05

Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2.2.2. Rated medium severity (CVSS 6.1), this vulne

CVE-2023-27008 MEDIUM POC
6.1 Mar 28

A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows r

Share

CVE-2017-1000002 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy