ATutor version 1.6.4 suffers from a cross site scripting vulnerability.
3669732d40933733498b181a2186eccb89b07c4994be07577c6cc535a7e43be9
Dear Sir / Madam
The Itsecteam has discovered 3 new bugs in ATutor 1.6.4 CMS and will be
glad to report and public them .
more information about these bugs are listed below :
Topic : ATutor 1.6.4
Bugs Type : Cross Site Scripting (all of them)
Credit : ItSecTeam
Remote : Yes
Status : Bug
# mail : Bug@ItSecTeam.com
# Dork : "ATutor 1.6.4"
#Special Tnx : am!rkh@n, Amin Shokohi(Pejvak), C0M0D0 , 0xd41684c654 ,
r3dmove And All It Security Team Members
#Website : WwW.ITSecTeam.com<https://www.itsecteam.com/>
########################## Exploit #############################
the bugs can be explited as below:
#1: After logging in as an instructor go to manage section and add a poll and inject your XSS code as a questaion or choices.
#2: After logging in as an instructor go to manage section and Create a new Group and inject your XSS code as title or group type.
#3: After logging in as an instructor go to manage section and Add an Assignment with XSS code as title.
--
With Best Regards