CVE-2019-16114
First published: Mon Sep 09 2019(Updated: )
In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Atutor Atutor | <=2.2.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-16114?
CVE-2019-16114 is a vulnerability in ATutor 2.2.4 that allows an unauthenticated attacker to gain access and achieve remote code execution by manipulating application settings.
How severe is CVE-2019-16114?
CVE-2019-16114 has a severity score of 9.8, making it a critical vulnerability.
How can I fix CVE-2019-16114?
To mitigate CVE-2019-16114, users should update ATutor to a patched version that addresses this vulnerability.
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/last-modified-date
- agent/remedy
- agent/tags
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/atutor
- canonical/atutor atutor
- version/atutor atutor/2.2.4