SB2017101038 - Multiple vulnerabilities in ATutor

Description

This security bulletin contains information about 2 vulnerabilities.

1) Cross-site request forgery (CVE-ID: CVE-2015-1583)

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and mods/_core/users/create_user.

2) Cross-site scripting (CVE-ID: CVE-2015-6521)

The vulnerability allows a remote authenticated user to read and manipulate data.

Multiple cross-site scripting (XSS) vulnerabilities in ATutor LMS version 2.2.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://packetstormsecurity.com/files/130598/ATutor-LCMS-2.2-Cross-Site-Request-Forgery.html
• http://www.securityfocus.com/bid/72845
• https://edricteo.com/cve-2015-1583-atutor-lcms-csrf-vulnerability/
• https://github.com/atutor/ATutor/commit/068b8aa37f24645c62235018fb8da340f60e2d18
• https://github.com/atutor/ATutor/commit/0ee827317e497f1db86ddc5080b8af461e4595ce
• https://github.com/atutor/ATutor/commit/af519cfb56da7312eecbb5812484fcbce08e4419
• http://www.openwall.com/lists/oss-security/2015/08/19/1
• https://github.com/atutor/ATutor/issues/103