Subzero

Name of the Vulnerable Software and Affected Versions: ATutor version 1.5.3.2 Description: The issue allows remote attackers to execute arbitrary PHP code. This can be achieved via several parameters in different PHP files, including the `section` parameter in "documentation/common/frame toc.php" and "documentation/common/search.php", the `req lang` parameter in "documentation/common/search.php" and "documentation/common/vitals.inc.php", the `row[dir name]` parameter in "include/classes/module/module.class.php", and the `lang path` parameter in "include/classes/phpmailer/class.phpmailer.php". Recommendations: For ATutor version 1.5.3.2, consider disabling the vulnerable parameters `section`, `req lang`, `row[dir name]`, and `lang path` in their respective files until a patch is available. Restrict access to the affected PHP files to minimize the risk of exploitation. Avoid using the specified parameters in the affected API endpoints until the issue is resolved.