CVE-2017-1000004 Information

Description

ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox BasicLTI Blog Post Blog Group Course Email Course Alumni Course Enrolment Group Membership Course unenrolment Course Enrolment List Search Glossary Social Group Member Search Social Friend Search Social Group Search File Comment Gradebook Test Title User Group Membership Inbox/Sent Items Sent Messages Links Photo Album Poll Social Application Social Profile Test Content Menu Auto-Login and Gradebook components resulting in information disclosure database modification or potential code execution.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55 http://www.atutor.ca/atutor/mantis/view.php?id=5681 http://www.securityfocus.com/bid/99599

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8