CVE-2010-0971

Name of the Vulnerable Software and Affected Versions ATutor version 1.6.4

Description The issue allows remote authenticated users with Instructor privileges to inject arbitrary web script or HTML. This can be achieved via several fields in different scripts, including the Question and Choice fields in "tools/polls/add.php", the Type and Title fields in "tools/groups/create manual.php", and the Title field in "assignments/add assignment.php".

Recommendations For ATutor version 1.6.4, consider restricting access to the Instructor privileges until a patch is available, and avoid using the vulnerable fields in the specified scripts to minimize the risk of exploitation.