180 matches found
CVE-2026-28430 Chamilo LMS Vulnerable to Unauthenticated SQL Injection in chamiko-lms model.ajax.php
Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the customdates parameter. By chaining this with a predictable legacy password reset mechanism, an...
CVE-2026-28430 Chamilo LMS Vulnerable to Unauthenticated SQL Injection in chamiko-lms model.ajax.php
Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the customdates parameter. By chaining this with a predictable legacy password reset mechanism, an...
PT-2026-25807
Chamilo LMS is a learning management system. Chamilo LMS version 1.11.34 and prior contains a Reflected Cross-Site Scripting XSS vulnerability in the session category listing page. The keyword parameter from $ REQUEST is echoed directly into an HTML href attribute without any encoding or...
CVE-2025-59544
Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "categoryid" parameter which allows users to update the category of any user by replacing the "categoryid" parameter. This issue...
CVE-2025-59540
Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is...
CVE-2026-29041
Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads and does not...
CVE-2025-59544
Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "categoryid" parameter which allows users to update the category of any user by replacing the "categoryid" parameter. This issue...
CVE-2025-59540
Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is...
CVE-2026-29041 Chamilo: Authenticated Remote Code Execution via Unrestricted File Upload
Chamilo is a learning management system. Prior to version 1.11.34, Chamilo LMS is affected by an authenticated remote code execution vulnerability caused by improper validation of uploaded files. The application relies solely on MIME-type verification when handling file uploads and does not...
CVE-2025-59540 Chamilo: Stored Cross-Site Scripting (XSS) in Chamilo LMS Exercise Feedback
Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is...
CVE-2025-59540
CVE-2025-59540 affects Chamilo LMS prior to version 1.11.34. A stored cross-site scripting (XSS) vulnerability exists in the feedback input on the exercise history page, where unencoded input can be stored in the database and later rendered, enabling arbitrary JavaScript execution in the browser ...
EUVD-2025-208337
Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is...
CVE-2025-55289
Chamilo LMS has a stored XSS vulnerability in the social network and internal messaging features present in versions prior to 1.11.34. The issue allows an attacker to inject arbitrary JavaScript that executes in the browser of an authenticated user (including administrators) when viewing the inje...
CVE-2025-55289 Chamilo: Stored Cross Site Scripting in Skills Argumentation
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS Verison 1.11.32 allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user includin...
PT-2026-23631
Name of the Vulnerable Software and Affected Versions Chamilo versions prior to 1.11.34 Description Chamilo is a learning management system with a stored cross-site scripting XSS issue. The issue exists in the platform’s social network and internal messaging features. An attacker can inject...
PT-2026-23634
Name of the Vulnerable Software and Affected Versions Chamilo versions prior to 1.11.34 Description Chamilo LMS is susceptible to an authenticated remote code execution issue stemming from insufficient validation of uploaded files. The application depends on MIME-type verification for file upload...
CVE-2025-55208
Summary: CVE-2025-55208 affects Chamilo LMS prior to 1.11.34. A Stored XSS via insecure file uploads in the Social Networks feature allows a low-privilege user to execute arbitrary code in the admin inbox, enabling admin account takeover. The issue is fixed in version 1.11.34. The provided metric...
CVE-2025-55208 Chamilo LMS has Stored Cross Site Scripting on Social Networks Uploaded Files
Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in Social Networks. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34 fixes the issue...
CVE-2025-55208 Chamilo LMS has Stored Cross Site Scripting on Social Networks Uploaded Files
Chamilo is a learning management system. Versions prior to 1.11.34 have a Stored XSS through insecure file uploads in Social Networks. Through it, a low-privilege user can execute arbitrary code in the admin user inbox, allowing takeover of the admin account. Version 1.11.34 fixes the issue...
PT-2026-23510
Name of the Vulnerable Software and Affected Versions Chamilo versions prior to 1.11.34 Description Chamilo, a learning management system, contains a Stored Cross-Site Scripting XSS issue stemming from insecure file uploads within the Social Networks feature. A user with limited privileges can...