SRC-2016-0001 : ATutor LMS install_modules CSRF Remote Code Execution Vulnerability
ATutor 2.2.1 is confirmed, other versions may also be affected.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ATutor. User interaction is required to exploit this vulnerability in that a target administrator must visit a malicious page.
ATutor has issued an update to correct this vulnerability. More details can be found at: https://github.com/atutor/ATutor/commit/bfc6c80c6c217c5515172f3cc949e13dfa1a92ac
- 2016-02-23 – Vulnerability reported to vendor
- 2016-02-24 – CVE requested and assigned
- 2016-02-24 – Vendor confirmed issue
- 2016-03-05 – Vendor releases a patch
- 2016-03-06 – Coordinated public release of advisory
Proof of Concept:
This vulnerability was discovered by Steven Seeley of Source Incite