CVE-2016-10400

Name of the Vulnerable Software and Affected Versions ATutor versions prior to 2.2.2

Description A Directory Traversal issue exists, allowing an attacker to read arbitrary files. This can be achieved by exploiting the icon parameter in the /mods/ core/courses/users/create course.php endpoint, and then visiting the get course icon.php endpoint with a specially crafted id parameter after the traversal attack.

Recommendations For versions prior to 2.2.2, update to version 2.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the create course.php and get course icon.php endpoints to minimize the risk of exploitation. Avoid using the icon parameter in the affected endpoint until the issue is resolved.