Published: 17/05/2019 Updated: 14/02/2024

CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 802

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

ATutor up to and including 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.

Vulnerable Product	Search on Vulmon	Subscribe to Product
atutor atutor

ATutor 2.2.4 Arbitrary File Upload / RCE (CVE-2019-12169)

ATutor 224 Arbitrary File Upload / RCE (CVE-2019-12169) Exploit Title: ATutor 224 Arbitrary File Upload / RCE [CVE-2019-12169] Date: 5/24/19 Exploit Author: liquidsky (JMcPeters) Vendor Homepage: atutorgithubio/ Software Link: sourceforgenet/projects/atutor/files/latest/download Version: 224 Tested on: Windows 8 / Apache / MySQL (XAMPP) CVE : CVE-2019-

ATutor 2.2.4 'Backup' Remote Command Execution (CVE-2019-12170)

ATutor-Instructor-Backup-Exploit Exploit Title: ATutor 224 'Backup' Remote Command Execution (CVE-2019-12170) Google Dork: inurl:/ATutor/loginphp Date: 5/13/2019 Exploit Author: liquidsky (Joseph McPeters) Vendor Homepage: atutorgithubio/ Software Link: sourceforgenet/projects/atutor/files/latest/download Version: < 224 (Versions 224

CWE-434 https://github.com/fuzzlove/ATutor-Instructor-Backup-Arbitrary-File http://incidentsecurity.com/atutor-2-2-4-backup-remote-command-execution/http://packetstormsecurity.com/files/153869/ATutor-2.2.4-Backup-Remote-Command-Execution.html https://nvd.nist.gov https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit

CVE-2019-12170

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect