PT-2012-5815 · Atutor · Atutor

Published

2012-10-22

Updated

2017-08-29

CVE-2012-5167

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions ATutor AContent versions prior to 1.2-1

Description The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the field parameter to "course category/index inline editor submit.php" or "user/index inline editor submit.php", or the id parameter to "user/user password.php".

Recommendations For versions prior to 1.2-1, update to version 1.2-1 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints "course category/index inline editor submit.php", "user/index inline editor submit.php", and "user/user password.php" until a patch is available. Avoid using the field and id parameters in the affected endpoints until the issue is resolved.

Exploit

Fix

RCE

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2012-5167

Affected Products

Atutor

PT-2012-5815 · Atutor · Atutor

CVE-2012-5167

Weakness Enumeration

Related Identifiers

Affected Products

References · 13