Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-6909 and CVE-2026-6956) found in ATutor software.
Analysis Summary
# Vulnerability: Multiple Reflected XSS in ATutor LMS
## CVE Details
- **CVE ID:** CVE-2026-6909 and CVE-2026-6956
- **CVSS Score:** Not explicitly provided in the source (Typically 6.1 Medium for Reflected XSS)
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation / Cross-site Scripting)
## Affected Systems
- **Products:** ATutor (Learning Management System)
- **Versions:** 2.2.4 (Confirmed); other versions may be affected as the product is no longer supported.
- **Configurations:** Systems where the `/install/` directory remains accessible or is actively being used for setup/upgrades.
## Vulnerability Description
ATutor contains two distinct Reflected Cross-Site Scripting (XSS) vulnerabilities:
1. **CVE-2026-6909:** Located in the `/install/upgrade.php` endpoint. The application fails to properly neutralize user-supplied input before rendering it back to the page.
2. **CVE-2026-6956:** Located in the `/install/install.php` endpoint. Similar to the above, input passed via the URL is not sanitized, allowing for malicious script injection.
In both cases, an attacker can craft a malicious URL containing JavaScript. If a logged-in user or administrator clicks this link, the script executes within the context of their browser session.
## Exploitation
- **Status:** PoC available (coordinated disclosure via CERT Polska); No specific reports of exploitation in the wild mentioned.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Low/Medium (Can lead to session hijacking or theft of sensitive information via cookies).
- **Integrity:** Medium (Can allow for unauthorized actions performed on behalf of the victim user).
- **Availability:** Low (Typically does not result in a denial of service).
## Remediation
### Patches
- **No Patches Available:** The product is no longer actively supported. The maintainers did not respond to the vulnerability report or provide official fixes.
### Workarounds
- **Restrict Access:** Forbid web access to the `/install/` directory on production servers.
- **Remove Install Files:** Delete `install.php` and `upgrade.php` (or the entire `/install/` folder) if the installation/upgrade process is complete.
- **WAF Implementation:** Deploy a Web Application Firewall (WAF) to filter common XSS patterns in URL parameters targeting the affected endpoints.
## Detection
- **Indicators of Compromise:** Unusual activity in web server logs featuring `<script>` tags or encoded JavaScript (e.g., `%3Cscript%3E`) targeting `/install/upgrade.php` or `/install/install.php`.
- **Detection Methods:** Vulnerability scanners (Dast) can be used to test the specific parameters of these endpoints for reflection without neutralization.
## References
- CERT Polska Advisory: [hxxtps://cert.pl/en/posts/2024/05/vulnerabilities-in-atutor-software/](https://cert.pl/en/posts/2024/05/vulnerabilities-in-atutor-software/) (Note: Source dated May 2026).
- CVE-2026-6909: [hxxtps://www.cve.org/CVERecord?id=CVE-2026-6909](https://www.cve.org/CVERecord?id=CVE-2026-6909)
- CVE-2026-6956: [hxxtps://www.cve.org/CVERecord?id=CVE-2026-6956](https://www.cve.org/CVERecord?id=CVE-2026-6956)