CVE-2019-12170

Name of the Vulnerable Software and Affected Versions ATutor versions prior to 2.2.5

Description The issue allows for arbitrary file uploads via the "mods/ core/backups/upload.php" component, potentially resulting in remote command execution. An attacker can use an instructor account to fully compromise the system by uploading a crafted backup ZIP archive, enabling them to write PHP files to the web root and execute code on the remote server.

Recommendations For ATutor versions prior to 2.2.5, update to version 2.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "mods/ core/backups/upload.php" component to minimize the risk of exploitation.