CVE-2005-2044

Name of the Vulnerable Software and Affected Versions ATutor versions 1.4.3 through 1.5 RC 1

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various parameters in different scripts, including show course in browse.php, subject in contact.php, cid in content.php, l in inbox/send message.php, multiple parameters in search.php such as search, words, include, find in, display as, and search, parameters in tile.php like submit, query, and field, us in forum/subscribe forum.php, and several parameters in directory.php including roles[], status, submit, and reset filter.

Recommendations For ATutor version 1.4.3, consider disabling the vulnerable parameters until a patch is available. For ATutor version 1.5 RC 1, restrict access to the affected scripts, such as browse.php, contact.php, content.php, inbox/send message.php, search.php, tile.php, forum/subscribe forum.php, and directory.php, to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.