Description
Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension as a customicon for a new course, then accessing it via a direct request to the file in content/.
Remediation
References
Related Vulnerabilities
WordPress Plugin Hot Files:File Sharing and Download Manager Cross-Site Scripting (1.0.0)
WordPress 3.7.x Multiple Vulnerabilities (3.7 - 3.7.32)
WordPress Plugin WP Subscribe Cross-Site Scripting (1.0.2)
WordPress Plugin Audio 'showfile' Parameter Cross-Site Scripting (0.5.1)
WordPress Plugin No Page Comment Multiple Vulnerabilities (1.1)