Description
In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.
References (2)
Core 2
Core References
Patch x_refsource_misc
https://github.com/atutor/ATutor/commits/master
Exploit, Third Party Advisory x_refsource_misc
https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md
Scores
CVSS v3
9.8
EPSS
0.1828
EPSS Percentile
95.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-863
Status
published
Products (1)
atutor/atutor
< 2.2.4
Published
Sep 09, 2019
Tracked Since
Feb 18, 2026