6.8
CVSSv2

CVE-2019-12169

Published: 03/06/2019 Updated: 05/08/2019
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 606
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Summary

ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.

Vulnerability Trend

Affected Products

Vendor Product Versions
AtutorAtutor2.2.1, 2.2.2, 2.2.4

Mailing Lists

ATutor version 224 suffers from a language_import arbitrary file upload that allows for command execution ...

Github Repositories

ATutor 224 Arbitrary File Upload / RCE (CVE-2019-12169) Exploit Title: ATutor 224 Arbitrary File Upload / RCE [CVE-2019-12169] Date: 5/24/19 Exploit Author: liquidsky (JMcPeters) Vendor Homepage: atutorgithubio/ Software Link: sourceforgenet/projects/atutor/files/latest/download Version: 224 Tested on: Windows 8 / Apache / MySQL (XAMPP) CVE : CVE-2019-

ATutor-Instructor-Backup-Exploit Exploit Title: ATutor 224 'Backup' Remote Command Execution (CVE-2019-12170) Google Dork: inurl:/ATutor/loginphp Date: 5/13/2019 Exploit Author: liquidsky (Joseph McPeters) Vendor Homepage: atutorgithubio/ Software Link: sourceforgenet/projects/atutor/files/latest/download Version: < 224 (Versions 224