Atutor
by Atutor
Source repositories
CVEs (44)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2006-3996 | 0.03 | — | 0.02 | Aug 5, 2006 | SQL injection vulnerability in links/index.php in ATutor 1.5.3.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the (1) desc or (2) asc parameters. | |||
| CVE-2006-3662 | 0.03 | — | 0.01 | Jul 18, 2006 | SQL injection vulnerability in index.php in ATutor 1.5.3 allows remote attackers to execute arbitrary SQL commands via the fid parameter. NOTE: this issue has been disputed by the vendor, who states "The mentioned SQL injection vulnerability is not possible." However, the… | |||
| CVE-2006-3484 | 0.03 | — | 0.03 | Jul 10, 2006 | Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) show_courses or (2) current_cat parameters to (a) admin/create_course.php, show_courses parameter to (b) users/create_course.php,… | |||
| CVE-2005-4155 | 0.03 | — | 0.03 | Dec 11, 2005 | registration.PHP in ATutor 1.5.1 pl2 allows remote attackers to execute arbitrary SQL commands via an e-mail address that ends in a NULL character, which bypasses the PHP regular expression check. NOTE: it is possible that this is actually a bug in PHP code, in which case this… | |||
| CVE-2005-2956 | 0.03 | — | 0.03 | Sep 16, 2005 | ATutor 1.5.1, and possibly earlier versions, stores temporary chat logs under the web document root with insufficient access control and predictable filenames, which allows remote attackers to obtain user chat conversations via direct requests to those files. | |||
| CVE-2005-2954 | 0.03 | — | 0.02 | Sep 16, 2005 | SQL injection vulnerability in password_reminder.php in ATutor before 1.5.1 pl1 allows remote attackers to execute arbitrary SQL commands via the email field. | |||
| CVE-2005-2649 | 0.03 | — | 0.04 | Aug 23, 2005 | Cross-site scripting (XSS) vulnerability in ATutor 1.5.1 allows remote attackers to inject arbitrary web script or HTML via (1) course parameter in login.php or (2) words parameter in search.php. | |||
| CVE-2005-2044 | 0.03 | — | 0.03 | Jun 16, 2005 | Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.3 and 1.5 RC 1 allow remote attackers to inject arbitrary web script or HTML via the (1) show_course parameter to browse.php, (2) subject parameter to contact.php, (3) cid parameter to content.php, (4) l parameter… | |||
| CVE-2019-16114 | 0.01 | — | 0.05 | Sep 9, 2019 | In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve… | |||
| CVE-2019-12170 | 0.01 | — | 0.09 | May 17, 2019 | ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive.… | |||
| CVE-2021-43498 | 0.00 | — | 0.02 | Apr 8, 2022 | An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set. | |||
| CVE-2020-23341 | 0.00 | — | 0.01 | Aug 17, 2021 | A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2015-1583 | 0.00 | — | 0.01 | Mar 2, 2020 | Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account… | |||
| CVE-2014-9753 | 0.00 | — | 0.03 | Feb 11, 2020 | confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter. | |||
| CVE-2019-7172 | 0.00 | — | 0.01 | Jan 29, 2019 | A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php. | |||
| CVE-2015-7712 | 0.00 | — | 0.02 | Nov 16, 2015 | Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary PHP code via the (1) asc or (2) desc parameter. | |||
| CVE-2014-9752 | 0.00 | — | 0.02 | Nov 16, 2015 | Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a… | |||
| CVE-2011-3706 | 0.00 | — | 0.01 | Sep 23, 2011 | ATutor 2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by users/tool_settings.inc.php and certain other files. | |||
| CVE-2008-0828 | 0.00 | — | 0.01 | Feb 19, 2008 | Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in (a) forum post or (b) mail; or (2) the website field of the profile. | |||
| CVE-2007-0381 | 0.00 | — | 0.01 | Jan 19, 2007 | Multiple SQL injection vulnerabilities in ATutor 1.5.3.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. NOTE: CVE analysis suggests that the vendor fixed these issues. |
- CVE-2006-3996Aug 5, 2006risk 0.03cvss —epss 0.02
SQL injection vulnerability in links/index.php in ATutor 1.5.3.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the (1) desc or (2) asc parameters.
- CVE-2006-3662Jul 18, 2006risk 0.03cvss —epss 0.01
SQL injection vulnerability in index.php in ATutor 1.5.3 allows remote attackers to execute arbitrary SQL commands via the fid parameter. NOTE: this issue has been disputed by the vendor, who states "The mentioned SQL injection vulnerability is not possible." However, the…
- CVE-2006-3484Jul 10, 2006risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) show_courses or (2) current_cat parameters to (a) admin/create_course.php, show_courses parameter to (b) users/create_course.php,…
- CVE-2005-4155Dec 11, 2005risk 0.03cvss —epss 0.03
registration.PHP in ATutor 1.5.1 pl2 allows remote attackers to execute arbitrary SQL commands via an e-mail address that ends in a NULL character, which bypasses the PHP regular expression check. NOTE: it is possible that this is actually a bug in PHP code, in which case this…
- CVE-2005-2956Sep 16, 2005risk 0.03cvss —epss 0.03
ATutor 1.5.1, and possibly earlier versions, stores temporary chat logs under the web document root with insufficient access control and predictable filenames, which allows remote attackers to obtain user chat conversations via direct requests to those files.
- CVE-2005-2954Sep 16, 2005risk 0.03cvss —epss 0.02
SQL injection vulnerability in password_reminder.php in ATutor before 1.5.1 pl1 allows remote attackers to execute arbitrary SQL commands via the email field.
- CVE-2005-2649Aug 23, 2005risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in ATutor 1.5.1 allows remote attackers to inject arbitrary web script or HTML via (1) course parameter in login.php or (2) words parameter in search.php.
- CVE-2005-2044Jun 16, 2005risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.3 and 1.5 RC 1 allow remote attackers to inject arbitrary web script or HTML via the (1) show_course parameter to browse.php, (2) subject parameter to contact.php, (3) cid parameter to content.php, (4) l parameter…
- CVE-2019-16114Sep 9, 2019risk 0.01cvss —epss 0.05
In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve…
- CVE-2019-12170May 17, 2019risk 0.01cvss —epss 0.09
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive.…
- CVE-2021-43498Apr 8, 2022risk 0.00cvss —epss 0.02
An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set.
- CVE-2020-23341Aug 17, 2021risk 0.00cvss —epss 0.01
A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2015-1583Mar 2, 2020risk 0.00cvss —epss 0.01
Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account…
- CVE-2014-9753Feb 11, 2020risk 0.00cvss —epss 0.03
confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter.
- CVE-2019-7172Jan 29, 2019risk 0.00cvss —epss 0.01
A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php.
- CVE-2015-7712Nov 16, 2015risk 0.00cvss —epss 0.02
Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary PHP code via the (1) asc or (2) desc parameter.
- CVE-2014-9752Nov 16, 2015risk 0.00cvss —epss 0.02
Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a…
- CVE-2011-3706Sep 23, 2011risk 0.00cvss —epss 0.01
ATutor 2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by users/tool_settings.inc.php and certain other files.
- CVE-2008-0828Feb 19, 2008risk 0.00cvss —epss 0.01
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in (a) forum post or (b) mail; or (2) the website field of the profile.
- CVE-2007-0381Jan 19, 2007risk 0.00cvss —epss 0.01
Multiple SQL injection vulnerabilities in ATutor 1.5.3.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. NOTE: CVE analysis suggests that the vendor fixed these issues.
Page 2 of 3