Description

ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PHP files to be written to the web root, and for code to execute on the remote server.

Remediation

References

CVE-2019-12170

Related Vulnerabilities

WordPress Plugin Meta Box-WordPress Custom Fields Framework Arbitrary File Upload (4.16.1)

WordPress Plugin Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) Cross-Site Scripting (9.7.1)

Oracle Database Server CVE-2014-2478 Vulnerability (CVE-2014-2478)

XWiki Improper Preservation of Permissions Vulnerability (CVE-2021-21379)

WordPress Plugin WP Gravity Forms Insightly Cross-Site Scripting (1.0.6)

Severity

High

Classification

CVE-2019-12170 CWE-434 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities