cbcvebase.
CVE-2023-27008
published 2023-03-28

CVE-2023-27008: A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web…

PriorityP277medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.50%
71.1th percentile
A Cross-site scripting (XSS) vulnerability in the function encrypt_password() in login.tmpl.php in ATutor 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
atutoratutor

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /atutor/login.php
path/atutor/login.php
commandtoken=asdf");}alert(document.domain);+function+asdf()+{//
  • The XSS payload is delivered via the `token` POST body parameter to /atutor/login.php. Look for POST requests to this endpoint containing JavaScript injection patterns such as `alert(document.domain)` or `");}` in the token field.
  • Response body will reflect the unescaped payload; match for the string `);}alert(document.domain); function` alongside `ATutor` and `Login` in the HTTP 200 response body.
  • Shodan/FOFA fingerprinting for exposed ATutor instances: search for `http.html:"Atutor"` or `http.html:"atutor"` (Shodan) and `body="atutor"` (FOFA).
  • The vulnerable function is `encrypt_password()` in `login.tmpl.php`. Code review or file-integrity monitoring should target this file for unexpected modifications.
  • Content-Type of the exploit request is `application/x-www-form-urlencoded`; WAF rules should inspect URL-encoded POST bodies to /atutor/login.php for XSS payloads in the token parameter.
  • ·The Nuclei template targets the path `/atutor/login.php` — installations not hosted under the `/atutor/` sub-path will require the path to be adjusted for accurate detection.
  • ·The template is verified for ATutor exactly at version 2.2.1; the CPE scope is `cpe:2.3:a:atutor:atutor:2.2.1` — versions prior to 2.2.1 may also be vulnerable but the template was not validated against them.
  • ·Detection requires UI interaction (CVSS UI:R); the reflected payload only executes in a victim's browser context, so server-side log scanning alone may miss exploitation attempts that did not result in a victim click.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.