cbcvebase.
CVE-2019-12169
published 2019-06-03

CVE-2019-12169: ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the…

PriorityP275high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
73.32%
99.4th percentile
ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.

Affected

1 ranges
VendorProductVersion rangeFixed in
atutoratutor2.2.1 – 2.2.4

Detection & IOCsextracted from sources · hover to see the quote

pathmods/_standard/patcher/index_admin.php
  • Monitor for ZIP archive uploads containing '..' (directory traversal) path components submitted to the language_import.php or index_admin.php endpoints in ATutor.
  • Alert on HTTP GET requests to unexpected PHP files appearing in the web root (htdocs on Windows, html on Linux) following a ZIP upload to ATutor — this indicates successful payload drop and execution attempt.
  • Detect POST requests to mods/_core/languages/language_import.php or mods/_standard/patcher/index_admin.php containing multipart ZIP uploads with path traversal sequences ('../') inside the archive entries.
  • Newly created PHP files in the ATutor web root (htdocs/html) that were not part of the original installation should be treated as indicators of compromise — the dropped file contains an encoded remote command execution payload.
  • ·Exploitation requires valid ATutor administrator credentials — unauthenticated exploitation is not possible. Detections should be scoped to authenticated admin sessions.
  • ·The Metasploit module targets ATutor versions 2.2.4, 2.2.2, and 2.2.1; the CVE specifically references 2.2.4. Ensure version scope is considered when applying detections.
  • ·The web root path differs by OS: 'htdocs' on Windows (XAMPP) and 'html' on Linux. File-integrity monitoring rules must account for both paths.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.