CVE-2019-11446

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-11446

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-11446.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-11446

Published

2019-04-22T11:29:06Z

Modified

2025-01-08T05:38:08.610858Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The $IllegalExtensions value only lists lowercase (and thus .phP is a bypass), and omits .shtml and .phtml.

References

Affected packages

Git / github.com/atutor/atutor

Affected ranges

Type: GIT
Repo: https://github.com/atutor/atutor
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

57f990d1a31b234a7c68bf70c40386565bc449e2

Affected versions

Other

atutor_1_4_2

atutor_1_5

atutor_1_5_1

atutor_1_5_2

atutor_1_5_3

atutor_1_5_3_1

atutor_1_5_3_2

atutor_1_5_3_3

atutor_1_5_5

atutor_2_1

atutor_2_1_1

atutor_2_2

atutor_2_2_1

atutor_2_2_2

atutor_2_2_4

start