CVE-2010-0971

ATutor 1.6.4 - XSS

Title source: llm

Description

Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.6.4 allow remote authenticated users, with Instructor privileges, to inject arbitrary web script or HTML via the (1) Question and (2) Choice fields in tools/polls/add.php, the (3) Type and (4) Title fields in tools/groups/create_manual.php, and the (5) Title field in assignments/add_assignment.php. NOTE: some of these details are obtained from third party information.

Exploits (1)

exploitdb WRITEUP VERIFIED

by ITSecTeam · textwebappsphp

https://www.exploit-db.com/exploits/11685

View Code ZIP pw:eip

References (8)

[Exploit] http://packetstormsecurity.org/1003-exploits/atutor-xss.txt

[Vendor Advisory] http://secunia.com/advisories/38906

[Exploit] http://www.exploit-db.com/exploits/11685

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/38656

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/56852

[Third Party Advisory, VDB Entry] http://osvdb.org/62904

[Third Party Advisory, VDB Entry] http://osvdb.org/62905

[Third Party Advisory, VDB Entry] http://osvdb.org/62906

Scores

EPSS 0.0123

EPSS Percentile 79.0%

Classification

CWE

CWE-79

Status published

Affected Products (2)

atutor/atutor

n/a/n/a

Timeline

Published Mar 16, 2010

Tracked Since Feb 18, 2026