CVE-2014-9752

Name of the Vulnerable Software and Affected Versions ATutor versions prior to 2.2 patch 6

Description The issue allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a custom icon for a new course, then accessing it via a direct request to the file in content/. This is due to an unrestricted file upload vulnerability in mods/ core/properties/lib/course.inc.php.

Recommendations For versions prior to 2.2 patch 6, update to version 2.2 patch 6 or later to resolve the issue. As a temporary workaround, consider restricting access to the file upload functionality for custom icons in new courses to minimize the risk of exploitation.