ATutor 1.6.4 Cross Site Scripting

2010.03.19
Credit: ItSecTeam
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2010-0971
CWE: CWE-79
Dork: \"ATutor 1.6.4\"


CVSS Base Score: 2.1/10
Impact Subscore: 2.9/10
Exploitability Subscore: 3.9/10
Exploit range: Remote
Attack complexity: High
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Dear Sir / Madam The Itsecteam has discovered 3 new bugs in ATutor 1.6.4 CMS and will be glad to report and public them . more information about these bugs are listed below : Topic : ATutor 1.6.4 Bugs Type : Cross Site Scripting (all of them) Credit : ItSecTeam Remote : Yes Status : Bug # mail : Bug@ItSecTeam.com # Dork : "ATutor 1.6.4" #Special Tnx : am!rkh@n, Amin Shokohi(Pejvak), C0M0D0 , 0xd41684c654 , r3dmove And All It Security Team Members #Website : WwW.ITSecTeam.com<http://www.itsecteam.com/> ########################## Exploit ############################# the bugs can be explited as below: #1: After logging in as an instructor go to manage section and add a poll and inject your XSS code as a questaion or choices. #2: After logging in as an instructor go to manage section and Create a new Group and inject your XSS code as title or group type. #3: After logging in as an instructor go to manage section and Add an Assignment with XSS code as title. -- With Best Regards

References:

http://xforce.iss.net/xforce/xfdb/56852
http://www.securityfocus.com/bid/38656
http://www.exploit-db.com/exploits/11685
http://secunia.com/advisories/38906
http://packetstormsecurity.org/1003-exploits/atutor-xss.txt
http://osvdb.org/62906
http://osvdb.org/62905
http://osvdb.org/62904


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top