Description
ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a ".." pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.
Remediation
References
Related Vulnerabilities
Perl Out-of-bounds Write Vulnerability (CVE-2023-47038)
WordPress Other Vulnerability (CVE-2007-2821)
WordPress Plugin Real Estate Website Builder 'ajax_action' Parameter Cross-Site Scripting (0.1.0)
Drupal Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2017-6381)
Envoy Proxy NULL Pointer Dereference Vulnerability (CVE-2022-29224)