Description
Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a direct request to the file in content/.
Remediation
References
Related Vulnerabilities
WordPress Plugin jRSS Widget 'url' Parameter Directory Traversal (1.1.1)
EspoCRM Improper Neutralization of Formula Elements in a CSV File Vulnerability (CVE-2022-38845)
WordPress Plugin WordPress Download Manager Multiple Security Bypass Vulnerabilities (2.6.92)
WordPress Plugin Favicon by RealFaviconGenerator Cross-Site Scripting (1.3.20)