CVE-2017-1000004

moderate-risk
Published 2017-07-17

ATutor version 2.2.1 and earlier are vulnerable to a SQL injection in the Assignment Dropbox, BasicLTI, Blog Post, Blog, Group Course Email, Course Alumni, Course Enrolment, Group Membership, Course unenrolment, Course Enrolment List Search, Glossary, Social Group Member Search, Social Friend Search, Social Group Search, File Comment, Gradebook Test Title, User Group Membership, Inbox/Sent Items, Sent Messages, Links, Photo Album, Poll, Social Application, Social Profile, Test, Content Menu, Auto-Login, and Gradebook components resulting in information disclosure, database modification, or potential code execution.

Do I need to act?

~
2.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Atutor

References (6)

Vendor Advisory http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55
Permissions Required http://www.atutor.ca/atutor/mantis/view.php?id=5681
Third Party Advisory http://www.securityfocus.com/bid/99599
Vendor Advisory http://www.atutor.ca/atutor/mantis/changelog_page.php?version_id=55
Permissions Required http://www.atutor.ca/atutor/mantis/view.php?id=5681
Third Party Advisory http://www.securityfocus.com/bid/99599
42
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 5/34 · Minimal
Exposure 5/34 · Minimal