CVE-2021-24184 — Missing Authorization in Tutor LMS

CWE-862 — Missing Authorization CWE-269 — Improper Privilege Management4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.6%

top 30.40%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Themeum Tutor LMS

Timeline

PublishedApr 5

Latest updateMay 24

Description

Several AJAX endpoints in the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 were unprotected, allowing students to modify course information and elevate their privileges among many other actions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDthemeum/tutor_lms< 1.7.7

🔴Vulnerability Details

GHSA

GHSA-5hff-r5rf-v64j: Several AJAX endpoints in the Tutor LMS – eLearning and online course solution WordPress plugin before 1↗2022-05-24

▶

CVEList

Tutor LMS < 1.7.7 - Unprotected AJAX including Privilege Escalation↗2021-04-05

▶

VulnCheck

themeum tutor_lms Missing Authorization↗2021

▶