CVE-2016-2555

CRITICAL

Atutor - SQL Injection

Title source: rule

Description

SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php.

Exploits (6)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremotephp
https://www.exploit-db.com/exploits/39514
nomisec WORKING POC 3 stars
by shadofren · poc
https://github.com/shadofren/CVE-2016-2555
nomisec WORKING POC 1 stars
by maximilianmarx · poc
https://github.com/maximilianmarx/atutor-blind-sqli
nomisec WORKING POC
by HussainFathy · poc
https://github.com/HussainFathy/CVE-2016-2555
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/atutor_filemanager_traversal.rb
metasploit WORKING POC EXCELLENT
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/atutor_sqli.rb

References (5)

Scores

CVSS v3 9.8
EPSS 0.8158
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
atutor/atutor 2.2.1
Published Apr 13, 2017
Tracked Since Feb 18, 2026