CVE-2014-9753

confirm.php in ATutor 2.2 and earlier allows remote attackers to bypass authentication and gain access as an existing user via the auto_login parameter.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 81%
VendorProductVersion
atutoratutor
𝑥
≤ 2.2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://karmainsecurity.com/KIS-2015-06
http://seclists.org/fulldisclosure/2015/Nov/11
http://update.atutor.ca/patch/2_2/2_2-6/patch.xml
http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded
https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d
http://karmainsecurity.com/KIS-2015-06
http://seclists.org/fulldisclosure/2015/Nov/11
http://update.atutor.ca/patch/2_2/2_2-6/patch.xml
http://www.securityfocus.com/archive/1/archive/1/536835/100/0/threaded
https://github.com/atutor/ATutor/commit/950a0299954e69b8742cc1f1a632f564435d4d7d