VYPR

Atutor

by Atutor

Source repositories

CVEs (44)

  • CVE-2006-3996Aug 5, 2006
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in links/index.php in ATutor 1.5.3.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the (1) desc or (2) asc parameters.

  • CVE-2006-3662Jul 18, 2006
    risk 0.03cvss epss 0.01

    SQL injection vulnerability in index.php in ATutor 1.5.3 allows remote attackers to execute arbitrary SQL commands via the fid parameter. NOTE: this issue has been disputed by the vendor, who states "The mentioned SQL injection vulnerability is not possible." However, the…

  • CVE-2006-3484Jul 10, 2006
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) show_courses or (2) current_cat parameters to (a) admin/create_course.php, show_courses parameter to (b) users/create_course.php,…

  • CVE-2005-4155Dec 11, 2005
    risk 0.03cvss epss 0.03

    registration.PHP in ATutor 1.5.1 pl2 allows remote attackers to execute arbitrary SQL commands via an e-mail address that ends in a NULL character, which bypasses the PHP regular expression check. NOTE: it is possible that this is actually a bug in PHP code, in which case this…

  • CVE-2005-2956Sep 16, 2005
    risk 0.03cvss epss 0.03

    ATutor 1.5.1, and possibly earlier versions, stores temporary chat logs under the web document root with insufficient access control and predictable filenames, which allows remote attackers to obtain user chat conversations via direct requests to those files.

  • CVE-2005-2954Sep 16, 2005
    risk 0.03cvss epss 0.02

    SQL injection vulnerability in password_reminder.php in ATutor before 1.5.1 pl1 allows remote attackers to execute arbitrary SQL commands via the email field.

  • CVE-2005-2649Aug 23, 2005
    risk 0.03cvss epss 0.04

    Cross-site scripting (XSS) vulnerability in ATutor 1.5.1 allows remote attackers to inject arbitrary web script or HTML via (1) course parameter in login.php or (2) words parameter in search.php.

  • CVE-2005-2044Jun 16, 2005
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.3 and 1.5 RC 1 allow remote attackers to inject arbitrary web script or HTML via the (1) show_course parameter to browse.php, (2) subject parameter to contact.php, (3) cid parameter to content.php, (4) l parameter…

  • CVE-2019-16114Sep 9, 2019
    risk 0.01cvss epss 0.05

    In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve…

  • CVE-2019-12170May 17, 2019
    risk 0.01cvss epss 0.09

    ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive.…

  • CVE-2021-43498Apr 8, 2022
    risk 0.00cvss epss 0.02

    An Access Control vulnerability exists in ATutor 2.2.4 in password_reminder.php when the g, id, h, form_password_hidden, and form_change HTTP POST parameters are set.

  • CVE-2020-23341Aug 17, 2021
    risk 0.00cvss epss 0.01

    A reflected cross site scripting (XSS) vulnerability in the /header.tmpl.php component of ATutor 2.2.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

  • CVE-2015-1583Mar 2, 2020
    risk 0.00cvss epss 0.01

    Multiple cross-site request forgery (CSRF) vulnerabilities in ATutor 2.2 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account via a request to mods/_core/users/admins/create.php or (2) create a user account…

  • CVE-2014-9753Feb 11, 2020
    risk 0.00cvss epss 0.03

    confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter.

  • CVE-2019-7172Jan 29, 2019
    risk 0.00cvss epss 0.01

    A stored-self XSS exists in ATutor through v2.2.4, allowing an attacker to execute HTML or JavaScript code in a vulnerable Real Name field to /mods/_core/users/admins/my_edit.php.

  • CVE-2015-7712Nov 16, 2015
    risk 0.00cvss epss 0.02

    Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary PHP code via the (1) asc or (2) desc parameter.

  • CVE-2014-9752Nov 16, 2015
    risk 0.00cvss epss 0.02

    Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a…

  • CVE-2011-3706Sep 23, 2011
    risk 0.00cvss epss 0.01

    ATutor 2.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by users/tool_settings.inc.php and certain other files.

  • CVE-2008-0828Feb 19, 2008
    risk 0.00cvss epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) attributes such as style and onmouseover in (a) forum post or (b) mail; or (2) the website field of the profile.

  • CVE-2007-0381Jan 19, 2007
    risk 0.00cvss epss 0.01

    Multiple SQL injection vulnerabilities in ATutor 1.5.3.2 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. NOTE: CVE analysis suggests that the vendor fixed these issues.