Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a direct request to the file in content/.
References
Configurations
History
21 Nov 2024, 02:21
Type | Values Removed | Values Added |
---|---|---|
References | () http://karmainsecurity.com/KIS-2015-05 - | |
References | () http://packetstormsecurity.com/files/134215/ATutor-2.2-File-Upload.html - | |
References | () http://seclists.org/fulldisclosure/2015/Nov/10 - | |
References | () http://update.atutor.ca/patch/2_2/2_2-6/patch.xml - | |
References | () http://www.securityfocus.com/archive/1/536834/100/0/threaded - |
Information
Published : 2015-11-16 19:59
Updated : 2024-11-21 02:21
NVD link : CVE-2014-9752
Mitre link : CVE-2014-9752
CVE.ORG link : CVE-2014-9752
JSON object : View
Products Affected
atutor
- atutor
CWE