CVE-2019-16114
Last modified
CVE-2019-16114 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. EPSS estimates a 4.78% chance of exploitation in the next 30 days.
Description
In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Atutor | Atutor | <= 2.2.4 |
References
- https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.mdExploit, Third Party Advisory
- https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.mdExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-16114?
How severe is CVE-2019-16114?
How do I fix CVE-2019-16114?
Are you affected by CVE-2019-16114?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST