AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2019-12170: ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) componen

infovulnerability

security

Source: NVD/CVE DatabaseMay 17, 2019CVE-2019-12170

Summary

ATutor (an educational software platform) versions through 2.2.4 have a vulnerability in their backup upload component that allows attackers to upload malicious files without proper restrictions. An attacker with instructor account access can upload a crafted ZIP file containing PHP code (a server-side programming language), which gets written to the web server and executed, giving them complete control over the system through RCE (remote code execution, where an attacker can run commands on a system they don't own).

Vulnerability Details

CVSS Score

9

EPSS (30-day exploit probability)

EPSS: 15.1%

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-434

CAPEC (Attack Pattern)

CAPEC-1

Original source: https://nvd.nist.gov/vuln/detail/CVE-2019-12170

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 95%