Skip to main content

Atutor CVE-2017-1000003

CRITICAL
Improper Privilege Management (CWE-269)
2017-07-17 cve@mitre.org
9.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 17, 2017 - 13:18 cve.org
CRITICAL 9.8

DescriptionCVE.org

ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation.

AnalysisAI

ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Module component resulting in privilege escalation. ATutor versions 2.2.1 and earlier are vulnerable to a incorrect access control check vulnerability in the Alternative Content component resulting in privilege escalation. Affected products include: Atutor.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply principle of least privilege, validate privilege transitions, implement proper role separation.

More in Atutor

View all
CVE-2016-2555 CRITICAL POC
9.8 Apr 13

SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbi

CVE-2017-1000002 CRITICAL POC
9.8 Jul 17

ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course

CVE-2019-12169 HIGH POC
8.8 Jun 03

ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathnam

CVE-2019-16114 CRITICAL POC
9.8 Sep 09

In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted databas

CVE-2016-2539 HIGH POC
8.8 Feb 07

Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to

CVE-2019-12170 HIGH POC
8.8 May 17

ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) componen

CVE-2019-11446 HIGH POC
8.8 Apr 22

An issue was discovered in ATutor through 2.2.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploita

CVE-2016-10400 HIGH POC
7.5 Jul 22

Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php.

CVE-2015-7712 MEDIUM POC
6.5 Nov 16

Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remot

CVE-2015-7711 MEDIUM POC
6.1 Aug 31

Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject ar

CVE-2017-1000004 CRITICAL
9.8 Jul 17

ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog,

CVE-2017-6483 MEDIUM POC
6.1 Mar 05

Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2.2.2. Rated medium severity (CVSS 6.1), this vulne

Share

CVE-2017-1000003 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy