{"id":"CVE-2019-12169","details":"ATutor 2.2.4 allows Arbitrary File Upload and Directory Traversal, resulting in remote code execution via a \"..\" pathname in a ZIP archive to the mods/_core/languages/language_import.php (aka Import New Language) or mods/_standard/patcher/index_admin.php (aka Patcher) component.","modified":"2026-04-10T04:12:00.891879Z","published":"2019-06-03T20:29:00.703Z","references":[{"type":"ADVISORY","url":"https://github.com/fuzzlove"},{"type":"EVIDENCE","url":"https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit"},{"type":"EVIDENCE","url":"http://incidentsecurity.com/atutor-2-2-4-language_import-arbitrary-file-upload-rce/"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/153870/ATutor-2.2.4-Arbitrary-File-Upload-Command-Execution.html"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/158246/ATutor-2.2.4-Directory-Traversal-Remote-Code-Execution.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/atutor/atutor","events":[{"introduced":"68285ea31de595c67d5f60720fb76d49c6347f3a"},{"last_affected":"57f990d1a31b234a7c68bf70c40386565bc449e2"}],"database_specific":{"versions":[{"introduced":"2.2.1"},{"last_affected":"2.2.4"}]}}],"versions":["atutor_2_2_1","atutor_2_2_4"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-12169.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}