SRC-2016-0001 : ATutor LMS install_modules CSRF Remote Code Execution Vulnerability



CVSS Score:

9.3, (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Affected Vendors:


Affected Products:

ATutor 2.2.1 is confirmed, other versions may also be affected.

Vulnerability Details:

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ATutor. User interaction is required to exploit this vulnerability in that a target administrator must visit a malicious page.

The specific flaw exists when sending data to the 'import_modules.php' page. An attacker can craft a JavaScript payload and deceive an Administrator into performing a malicious upload. This can result in remote code execution in the context of the web server.

Vendor Response:

ATutor has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline:

  • 2016-02-23 – Vulnerability reported to vendor
  • 2016-02-24 – CVE requested and assigned
  • 2016-02-24 – Vendor confirmed issue
  • 2016-03-05 – Vendor releases a patch
  • 2016-03-06 – Coordinated public release of advisory

Proof of Concept:


This vulnerability was discovered by Steven Seeley of Source Incite