Description
Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in tools/groups/create_manual.php, and the (5) Title field in assignments/add_assignment.php. NOTE: some of these details are obtained from third party information.
Exploits (1)
References (8)
Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/62905
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/38656
Exploit exploit
x_refsource_exploit-db
http://www.exploit-db.com/exploits/11685
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/38906
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/62904
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/56852
Exploit x_refsource_misc
http://packetstormsecurity.org/1003-exploits/atutor-xss.txt
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/62906
Scores
EPSS
0.0123
EPSS Percentile
79.3%
Details
CWE
CWE-79
Status
published
Products (1)
atutor/atutor
1.6.4
Published
Mar 16, 2010
Tracked Since
Feb 18, 2026