ATutor <= 2.2 (popuphelp.php) Reflected Cross-Site Scripting Vulnerability

• Affected Versions:

Version 2.2 and prior versions.

• Vulnerability Description:

The vulnerable code is located in the /popuphelp.php script:

26if ($_GET['h']) {
27    $h = $_GET['h'];
29    if (is_string($_GET['h'])) { // just a AT_HELP code with no prefix
30        $msg->printHelps($h);

User input passed through the “h” GET parameter is not properly sanitized before being passed to the Message::printHelps() method at line 30. This can be exploited to carry out Reflected Cross-Site Scripting (XSS) attacks.

• Solution:

No official solution is currently available.

• Disclosure Timeline:

[06/10/2014] – Vendor notified

[09/10/2014] – Vendor response stating this issue has been added to the bug tracker and it is relatively minor

[11/11/2014] – Vendor replied asking for fix suggestions

[11/11/2014] – Fix suggestions have been provided to the vendor

[30/09/2015] – CVE number requested

[05/10/2015] – CVE number assigned

[06/10/2015] – After one year still no official solution available

[04/11/2015] – Public disclosure

• CVE Reference:

The Common Vulnerabilities and Exposures project ( has assigned the name CVE-2015-7711 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.