CVE-2014-2091

ATutor 2.1.1 - Authenticated Stored Cross-Site Scripting via Forum Title Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2091. PoCs published by HauntIT.

AI-analyzed exploit summary This exploit demonstrates multiple XSS and HTML injection vulnerabilities in ATutor during installation and admin configuration. It includes payloads for reflected and persistent XSS attacks.

Description

Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title parameter in an add_forum action. NOTE: the original disclosure also reported issues that may not cross privilege boundaries.

Exploits (1)

exploitdb WORKING POC VERIFIED
by HauntIT · textwebappsphp
https://www.exploit-db.com/exploits/39107

This exploit demonstrates multiple XSS and HTML injection vulnerabilities in ATutor during installation and admin configuration. It includes payloads for reflected and persistent XSS attacks.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: ATutor 2.1.1
No auth needed
Prerequisites: Access to the installation or admin interface
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

EPSS 0.0127
EPSS Percentile 66.2%

Details

CWE
CWE-79
Status published
Products (1)
atutor/atutor 2.1.1
Published Mar 02, 2014
Tracked Since Feb 18, 2026