CVE-2019-16114

Name of the Vulnerable Software and Affected Versions ATutor version 2.2.4

Description The issue allows an unauthenticated attacker to modify application settings, forcing the application to use a crafted database. This enables the attacker to gain access to the application. Furthermore, the attacker can change the directory where files are uploaded, leading to remote code execution. This is due to a lack of restrictions on certain changes in the install/include/header.php file, specifically for db host, db login, db password, and content dir within install/include/step5.php.

Recommendations For ATutor version 2.2.4, restrict changes to db host, db login, db password, and content dir within install/include/step5.php to prevent unauthorized modifications. Additionally, consider implementing proper access controls to prevent unauthenticated attackers from modifying application settings.