CVE-2019-7172: Vulnerability discovered in the package ATutor

CVE-2019-7172: Vulnerability discovered in the package ATutor

Vulnerability Reports
February 11, 2019
Profile Icon

Jason Franscisco

Vulnerability discovered in the package ATutor


February 11, 2019

CVE Number



CWE - 79

Product Details

ATutor is an open source web based online learning system which is mainly used to design, develop and deliver the online courses.


Vulnerable Versions


Vulnerability Details

Before printing the `Real Name` value on the ‘Accounts page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.

Reference link:https://github.com/atutor/ATutor/issues/164

  • Avoid inserting or adding the untrusted input data
  • Data filtration techniques must be given high importance
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
  • Vendor Disclosure: 2019-01-16
  • Public Disclosure: 2019-02-11

Discovered by ACE Team - Loginsoft

Explore Cybersecurity Platforms

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros.

Discover Lovi

Sign up to our Newsletter