CVE-2019-12169

HIGH

ATutor 2.2.4 - RCE

Title source: llm

Description

ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.

Exploits (3)

nomisec WORKING POC 3 stars

by fuzzlove · poc

https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit

View Code ZIP pw:eip

gitlab WORKING POC

by fuzzlove-group · poc

https://gitlab.com/fuzzlove-group/ATutor-2-2-4-Language-Exploit

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by liquidsky (JMcPeters), Erik Wynter · rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/atutor_upload_traversal.rb

View Code ZIP pw:eip

References (5)

[Exploit, Third Party Advisory, URL Repurposed] http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html

[Third Party Advisory] https://github.com/fuzzlove

[Exploit, Third Party Advisory] https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit

Scores

CVSS v3 8.8

EPSS 0.7589

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (1)

atutor/atutor 2.2.1 - 2.2.4

Published Jun 03, 2019

Tracked Since Feb 18, 2026