A vulnerability was found in ATutor 2.2.4 (Learning Management Software) and classified as critical. This issue affects some unknown processing of the file mods/_core/languages/language_import.php of the component File Upload. The manipulation with the input value .. leads to a unrestricted upload vulnerability. Using CWE to declare the problem leads to CWE-434. The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.

The weakness was shared 06/03/2019. The identification of this vulnerability is CVE-2019-12169 since 05/17/2019. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1608.002 for this issue.

By approaching the search of inurl:mods/_core/languages/language_import.php it is possible to find vulnerable targets with Google Hacking.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Type

• Learning Management Software

Name

• ATutor

Version

• 2.2.4

License

• free

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion