CVE-2019-11446

HIGH

ATutor <2.2.4 - Command Injection

Title source: llm

Description

An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml.

Exploits (1)

exploitdb WORKING POC

by AkkuS · rubywebappsphp

https://www.exploit-db.com/exploits/46691

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] http://pentest.com.tr/exploits/ATutor-2-2-4-file-manager-Remote-Code-Execution-Injection-Metasploit.html

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/46691/

Scores

CVSS v3 8.8

EPSS 0.0383

EPSS Percentile 88.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

atutor/atutor < 2.2.4

Published Apr 22, 2019

Tracked Since Feb 18, 2026