Skip to content
ATutor 2.2.4 Arbitrary File Upload / RCE (CVE-2019-12169)
Branch: master
Clone or download
Latest commit 2e043f5 Jun 9, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information. Update Jun 9, 2019

ATutor 2.2.4 Arbitrary File Upload / RCE (CVE-2019-12169)

Description: ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.

Greetz: wetw0rk, offsec ^^

Notes: This application is no longer being maintained so there is no fix for this issue.

update: if you wish to test this manually I have included the for a better understanding.

You can’t perform that action at this time.