CVE-2019-16114

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-16114
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16114.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-16114
Published
2019-09-09T13:15:11.777Z
Modified
2026-04-10T04:08:33.371993Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to dbhost, dblogin, dbpassword, and contentdir) within install/include/step5.php.

References

Affected packages

Git / github.com/atutor/atutor

Affected ranges

Type
GIT
Repo
https://github.com/atutor/atutor
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
57f990d1a31b234a7c68bf70c40386565bc449e2
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.2.4"
        }
    ]
}

Affected versions

Other
atutor_1_4_2
atutor_1_5
atutor_1_5_1
atutor_1_5_2
atutor_1_5_3
atutor_1_5_3_1
atutor_1_5_3_2
atutor_1_5_3_3
atutor_1_5_5
atutor_2_1
atutor_2_1_1
atutor_2_2
atutor_2_2_1
atutor_2_2_4
start

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-16114.json"