Skip to main content

Atutor

20 CVEs product

Monthly

CVE-2023-27008 MEDIUM POC This Month

A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Atutor
NVD
CVSS 3.1
6.1
EPSS
1.5%
CVE-2019-16114 CRITICAL POC PATCH Act Now

In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass RCE PHP Atutor
NVD GitHub
CVSS 3.1
9.8
EPSS
4.8%
CVE-2019-12169 HIGH POC THREAT Act Now

ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Path Traversal RCE Atutor
NVD GitHub
CVSS 3.1
8.8
EPSS
73.3%
CVE-2019-12170 HIGH POC This Week

ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Atutor
NVD GitHub
CVSS 3.0
8.8
EPSS
8.7%
CVE-2019-11446 HIGH POC This Week

An issue was discovered in ATutor through 2.2.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Atutor
NVD Exploit-DB
CVSS 3.0
8.8
EPSS
7.9%
CVE-2019-7172 MEDIUM POC This Month

A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Atutor
NVD GitHub
CVSS 3.0
6.1
EPSS
0.9%
CVE-2015-6521 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Atutor
NVD GitHub
CVSS 3.0
5.4
EPSS
0.2%
CVE-2017-14981 MEDIUM POC This Month

Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Atutor
NVD GitHub
CVSS 3.0
5.4
EPSS
0.2%
CVE-2015-7711 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Atutor
NVD
CVSS 3.0
6.1
EPSS
0.8%
CVE-2016-10400 HIGH POC This Week

Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Atutor
NVD GitHub
CVSS 3.0
7.5
EPSS
0.5%
CVE-2017-1000004 CRITICAL Act Now

ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SQLi Information Disclosure Atutor
NVD
CVSS 3.0
9.8
EPSS
2.1%
CVE-2017-1000003 CRITICAL Act Now

ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Atutor
NVD
CVSS 3.0
9.8
EPSS
0.3%
CVE-2017-1000002 CRITICAL POC THREAT Emergency

ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 60.2%.

Path Traversal Information Disclosure RCE Atutor
NVD
CVSS 3.0
9.8
EPSS
60.2%
Threat
5.3
CVE-2016-2555 CRITICAL POC PATCH THREAT Act Now

SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 81.6%.

SQLi PHP Atutor
NVD GitHub Exploit-DB
CVSS 3.0
9.8
EPSS
81.6%
Threat
5.9
CVE-2017-6483 MEDIUM POC This Month

Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2.2.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Atutor
NVD GitHub
CVSS 3.0
6.1
EPSS
0.3%
CVE-2016-2539 HIGH POC PATCH This Week

Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF PHP Atutor
NVD GitHub Exploit-DB
CVSS 3.0
8.8
EPSS
0.1%
CVE-2015-7712 MEDIUM POC This Month

Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Atutor
NVD
CVSS 2.0
6.5
EPSS
0.6%
CVE-2014-9752 MEDIUM This Month

Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Atutor
NVD
CVSS 2.0
6.5
EPSS
0.7%
CVE-2014-2091 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Atutor
NVD Exploit-DB
CVSS 2.0
3.5
EPSS
0.5%
CVE-2012-6528 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 2.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Atutor
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
6.3%
EPSS 1% CVSS 6.1
MEDIUM POC This Month

A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Atutor
NVD
EPSS 5% CVSS 9.8
CRITICAL POC PATCH Act Now

In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass RCE PHP +1
NVD GitHub
EPSS 73% CVSS 8.8
HIGH POC THREAT Act Now

ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Path Traversal +2
NVD GitHub
EPSS 9% CVSS 8.8
HIGH POC This Week

ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Atutor
NVD GitHub
EPSS 8% CVSS 8.8
HIGH POC This Week

An issue was discovered in ATutor through 2.2.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP File Upload Atutor
NVD Exploit-DB
EPSS 1% CVSS 6.1
MEDIUM POC This Month

A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Atutor
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Atutor
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Cross-Site Scripting (XSS) was discovered in ATutor before 2.2.3. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Atutor
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in popuphelp.php in ATutor 2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the h parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Atutor
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

Directory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal PHP Atutor
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL Act Now

ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE SQLi Information Disclosure +1
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

ATutor versions 2.2.1 and earlier are vulnerable to an incorrect access control check vulnerability in the Social Application component resulting in privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Atutor
NVD
EPSS 60% 5.3 CVSS 9.8
CRITICAL POC THREAT Emergency

ATutor versions 2.2.1 and earlier are vulnerable to a directory traversal and file extension check bypass in the Course component resulting in code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 60.2%.

Path Traversal Information Disclosure RCE +1
NVD
EPSS 82% 5.9 CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 81.6%.

SQLi PHP Atutor
NVD GitHub Exploit-DB
EPSS 0% CVSS 6.1
MEDIUM POC This Month

Multiple Cross-Site Scripting (XSS) issues were discovered in ATutor 2.2.2. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP Atutor
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor before 2.2.2 allows remote attackers to hijack the authentication of users for requests that upload arbitrary files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF PHP Atutor
NVD GitHub Exploit-DB
EPSS 1% CVSS 6.5
MEDIUM POC This Month

Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Atutor
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP File Upload Atutor
NVD
EPSS 1% CVSS 3.5
LOW POC Monitor

Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Atutor
NVD Exploit-DB
EPSS 6% CVSS 4.3
MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 2.1 allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

PHP XSS Atutor
NVD Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy