ATutor Unrestricted Upload of File with Dangerous Type Vulnerability - CVE-2019-11446 - Vulnerability Database

ATutor Unrestricted Upload of File with Dangerous Type Vulnerability - CVE-2019-11446

High
Reference: CVE-2019-11446
Title: ATutor Unrestricted Upload of File with Dangerous Type Vulnerability
Overview:

An issue was discovered in ATutor through 2.2.4. It allows the user to run commands on the server with the teacher user privilege. The Upload Files section in the File Manager field contains an arbitrary file upload vulnerability via upload.php. The IllegalExtensions value only lists lowercase (and thus .phP is a bypass) and omits .shtml and .phtml.