Published: 07/02/2017 Updated: 08/09/2017
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 685
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

Cross-site request forgery (CSRF) vulnerability in install_modules.php in ATutor prior to 2.2.2 allows remote malicious users to hijack the authentication of users for requests that upload arbitrary files and execute arbitrary PHP code via vectors involving a crafted zip file.

Affected Products

Vendor Product Versions


/* expjs ATutor LMS <= 221 install_modulesphp CSRF Remote Code Execution by mr_me Notes: `````` - Discovered for @ipn_mx students advanced php vuln/dev class - Tested on the latest FireFox 4402 release build - This poc simply uploads a zip file as pwn/siphp with a "<?php system($_GET['cmd']); ?>" in it - You will need to set the A ...