Vulnerabilities > CVE-2019-16114 - Incorrect Authorization vulnerability in Atutor

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

atutor

CWE-863

critical

NVD

Published: 2019-09-09

Updated: 2020-08-24

Summary

In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.

Vulnerable Configurations

Part	Description	Count
Application	Atutor Atutor Atutor 0.9.6 Atutor Atutor 0.9.7 Atutor Atutor 1.0 Atutor Atutor 1.2.1 Atutor Atutor 1.2.2 Atutor Atutor 1.3 Atutor Atutor 1.3.1 Atutor Atutor 1.3.2 Atutor Atutor 1.3.3 Atutor Atutor 1.4 Atutor Atutor 1.4.1 Atutor Atutor 1.4.2 Atutor Atutor 1.4.3 Atutor Atutor 1.5 Atutor Atutor 1.5.1 Atutor Atutor 1.5.2 Atutor Atutor 1.5.3 Atutor Atutor 1.5.3.1 Atutor Atutor 1.5.3.2 Atutor Atutor 1.5.3.3 Atutor Atutor 1.5.4 Atutor Atutor 1.5.5 Atutor Atutor 1.6 Atutor Atutor 1.6.1 Atutor Atutor 1.6.2 Atutor Atutor 1.6.3 Atutor Atutor 1.6.4 Atutor Atutor 2.0 Atutor Atutor 2.0.1 Atutor Atutor 2.0.2 Atutor Atutor 2.0.3 Atutor Atutor 2.1 Atutor Atutor 2.1.1 Atutor Atutor 2.2 Atutor Atutor 2.2.1 Atutor Atutor 2.2.2 Atutor Atutor 2.2.4	45

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References