SRC-2016-0002 : ATutor LMS Multiple Reflected Cross Site Scripting Vulnerabilities
ATutor 2.2.1 is confirmed, other versions may also be affected.
A total of 704 reflected Cross Site Scripting (XSS) vulnerabilities were found that can allow remote attackers to inject arbitrary web script or html via unspecified parameters against vulnerable installations of ATutor. User interaction is required to exploit this vulnerability in that a target administrator must visit a malicious page.
ATutor has issued an update to correct this vulnerability. More details can be found at: https://github.com/atutor/ATutor/commit/476aa3389f1c5b55467aed9f20db55901c103557
- 2016-02-25 – Vulnerability reported to vendor
- 2016-02-25 – CVE requested with response
- 2016-02-25 – Vendor asks for more clarification
- 2016-02-25 – Source Incite sends a single proof of concept for the 704 issues
- 2016-02-25 – Vendor confirms issues
- 2016-03-18 – Vendor releases a patch
- 2016-03-18 – Coordinated public release of advisory
This vulnerability was discovered by Steven Seeley of Source Incite