CVE-2006-3484

ATutor < 1.5.3 - Cross-Site Scripting via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 5 public exploits for CVE-2006-3484. PoCs published by Security News.

AI-analyzed exploit summary The provided text describes a cross-site scripting (XSS) vulnerability in ATutor versions 1.5.1 and 1.5.3 RC2. It includes a proof-of-concept URL demonstrating the vulnerability but lacks executable exploit code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in ATutor before 1.5.3 allow remote attackers to inject arbitrary web script or HTML via the (1) show_courses or (2) current_cat parameters to (a) admin/create_course.php, show_courses parameter to (b) users/create_course.php, (3) p parameter to (c) documentation/admin/, (4) forgot parameter to (d) password_reminder.php, (5) cat parameter to (e) users/browse.php, or the (6) submit parameter to admin/fix_content.php.

Exploits (5)

exploitdb WRITEUP VERIFIED
by Security News · textwebappsphp
https://www.exploit-db.com/exploits/28178

The provided text describes a cross-site scripting (XSS) vulnerability in ATutor versions 1.5.1 and 1.5.3 RC2. It includes a proof-of-concept URL demonstrating the vulnerability but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: ATutor 1.5.1, 1.5.3 RC2
No auth needed
Prerequisites: Access to the target application · User interaction to trigger the XSS payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Security News · textwebappsphp
https://www.exploit-db.com/exploits/28176

The provided text describes a cross-site scripting (XSS) vulnerability in ATutor versions 1.5.1 and 1.5.3 RC2. It includes example URLs demonstrating how arbitrary script code can be executed in the context of the affected site.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: ATutor 1.5.1, 1.5.3 RC2
No auth needed
Prerequisites: Access to the vulnerable ATutor instance
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Security News · textwebappsphp
https://www.exploit-db.com/exploits/28179

The provided text describes a cross-site scripting (XSS) vulnerability in ATutor versions 1.5.1 and 1.5.3 RC2, where user-supplied input is not properly sanitized. The example URL demonstrates how arbitrary script code could be executed in the context of the affected site.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: ATutor 1.5.1, 1.5.3 RC2
No auth needed
Prerequisites: Access to a vulnerable ATutor instance · Ability to craft a malicious URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Security News · textwebappsphp
https://www.exploit-db.com/exploits/28177

The provided text describes a cross-site scripting (XSS) vulnerability in ATutor versions 1.5.1 and 1.5.3 RC2. It explains the issue and provides a sample exploit URL but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: ATutor 1.5.1, 1.5.3 RC2
No auth needed
Prerequisites: Access to a vulnerable ATutor instance · Ability to craft a malicious URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Security News · textwebappsphp
https://www.exploit-db.com/exploits/28180

The provided text describes a cross-site scripting (XSS) vulnerability in ATutor versions 1.5.1 and 1.5.3 RC2. It includes a brief explanation of the issue and a sample URL demonstrating the vulnerability, but lacks executable exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: ATutor 1.5.1, 1.5.3 RC2
No auth needed
Prerequisites: Access to a vulnerable ATutor instance · Ability to craft a malicious URL
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Exploit x_refsource_confirm
http://www.atutor.ca/view/3/8341/1.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2691
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/27021
Exploit, Patch, Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20941
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/27020
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/27023
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/27022
Exploit, Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/18857
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/27019

Scores

EPSS 0.0264
EPSS Percentile 83.7%

Details

Status published
Products (4)
adaptive_technology_resource_centre/atutor 1.5.1
adaptive_technology_resource_centre/atutor 1.5.1_pl1
adaptive_technology_resource_centre/atutor 1.5.1_pl2
adaptive_technology_resource_centre/atutor 1.5.3_rc2
Published Jul 10, 2006
Tracked Since Feb 18, 2026