Description
ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP Activity Log Information Disclosure (3.1.1)
WordPress Plugin Monetize Multiple Vulnerabilities (1.03)
WordPress Plugin Image Gallery-Responsive Photo Gallery SQL Injection (1.8.9)
WordPress Plugin OMGF-Host Google Fonts Locally Multiple Vulnerabilities (4.5.3)
Atlassian Confluence Server-Side Request Forgery (SSRF) Vulnerability (CVE-2019-3395)