CVE-2006-3484

Name of the Vulnerable Software and Affected Versions ATutor versions prior to 1.5.3

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved by manipulating various parameters in different scripts, including show courses, current cat, p, forgot, cat, and submit parameters to specific API endpoints such as "/admin/create course.php", "/users/create course.php", "/documentation/admin/", "/password reminder.php", "/users/browse.php", and "/admin/fix content.php".

Recommendations For ATutor versions prior to 1.5.3, update to version 1.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters show courses, current cat, p, forgot, cat, and submit in the affected scripts until a patch is applied. Avoid using these parameters in the respective API endpoints until the issue is resolved.