CVE-2019-12169

Name of the Vulnerable Software and Affected Versions ATutor version 2.2.4

Description The issue allows for arbitrary file upload and directory traversal, resulting in remote code execution. This can be achieved by including a ".." pathname in a ZIP archive uploaded to specific components, such as the Import New Language or Patcher component, which are accessed through the mods/ core/languages/language import.php or mods/ standard/patcher/index admin.php endpoints.

Recommendations For ATutor version 2.2.4, consider restricting access to the language import.php and index admin.php files until a patch is available. As a temporary workaround, avoid using the ZIP archive upload feature in the Import New Language and Patcher components to minimize the risk of exploitation.