SRC-2016-0002 : ATutor LMS Multiple Reflected Cross Site Scripting Vulnerabilities

CVE ID:

N/A

CVSS Score:

4.3, (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Vendors:

ATutor

Affected Products:

ATutor 2.2.1 is confirmed, other versions may also be affected.

Vulnerability Details:

A total of 704 reflected Cross Site Scripting (XSS) vulnerabilities were found that can allow remote attackers to inject arbitrary web script or html via unspecified parameters against vulnerable installations of ATutor. User interaction is required to exploit this vulnerability in that a target administrator must visit a malicious page.

The specific flaws exist when directly displaying super global array variables. An attacker can craft a JavaScript payload and deceive an administrator into performing a malicious upload. This can result in remote code execution in the context of the web server.

Vendor Response:

ATutor has issued an update to correct this vulnerability. More details can be found at: https://github.com/atutor/ATutor/commit/476aa3389f1c5b55467aed9f20db55901c103557

Disclosure Timeline:

  • 2016-02-25 – Vulnerability reported to vendor
  • 2016-02-25 – CVE requested with response
  • 2016-02-25 – Vendor asks for more clarification
  • 2016-02-25 – Source Incite sends a single proof of concept for the 704 issues
  • 2016-02-25 – Vendor confirms issues
  • 2016-03-18 – Vendor releases a patch
  • 2016-03-18 – Coordinated public release of advisory

Credit:

This vulnerability was discovered by Steven Seeley of Source Incite