CVE-2019-16114

Exploit

EPSS 20.8%
Veröffentlicht 09.09.2019 13:15:11
Zuletzt bearbeitet 21.11.2024 04:30:04
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In ATutor 2.2.4, an unauthenticated attacker can change the application settings and force it to use his crafted database, which allows him to gain access to the application. Next, he can change the directory that the application uploads files to, which allows him to achieve remote code execution. This occurs because install/include/header.php does not restrict certain changes (to db_host, db_login, db_password, and content_dir) within install/include/step5.php.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Atutor ≫ Atutor Version <= 2.2.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	20.8%	0.951

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/MostafaSoliman/Security-Advisories/blob/master/CVE-2019-16114/README.md

Third Party Advisory

Exploit

https://github.com/atutor/ATutor/commits/master

Patch

https://nvd.nist.gov/vuln/detail/CVE-2019-16114

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-16114

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-16114

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2019-16114