122 matches found
CVE-2015-9540
CVE-2015-9540 describes an open redirect in Chamilo LMS up to version 1.9.10.2 via the link_goto.php?link_url= parameter, related to CVE-2015-5503. Connected entries show the Drupal Chamilo integration module (7.x-1.x before 7.x-1.2) as a separate instance of the same issue. The vulnerability is ...
CVE-2023-34944
Chamilo LMS vulnerability CVE-2023-34944: Arbitrary code execution via SVG upload in /fileUpload.lib.php on Chamilo 1.11.* up to 1.11.18. Affected component and versions are confirmed; exploitation vector is a crafted SVG file uploaded to the vulnerable endpoint. Impact includes high confidential...
CVE-2023-34958
CVE-2023-34958 concerns Chamilo LMS versions 1.11.* up to 1.11.18. The vulnerability is described as an inadequate access control that allows a student enrolled in a course to download documents belonging to another student if they know the document’s ID. This is an information disclosure issue r...
CVE-2023-34961
CVE-2023-34961 affects Chamilo v1.11.x up to v1.11.18, with a cross-site scripting (XSS) vulnerability via the /feedback/comment field. The issue is documented across multiple sources (NVD, RH Red Hat, OSV, PT-2023-25077) and is associated with CVSS v3.1 base score 6.1 (Network, Low attack comple...
CVE-2023-34959
Chamilo LMS is affected: versions 1.11.* up to 1.11.18 expose a Server-Side Request Forgery (SSRF) through crafted requests in the social and links tools, enabling an attacker to obtain information about services running on the server. The public sources do not specify a concrete patch version or...
CVE-2023-4220
Summary (CVE-2023-4220, Chamilo LMS) Chamilo LMS
CVE-2012-4030
CVE-2012-4030 affects Chamilo before 1.8.8.6, where the index.php input handling is insecure, allowing remote attackers to delete arbitrary files. The issue is described in the NVD entry as a vulnerability in Chamilo that could enable unauthorized file deletion via crafted input. Public reference...
CVE-2022-27426
CVE-2022-27426 describes a Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 . Attackers can enumerate internal networks and execute arbitrary system commands through a crafted Phar file. The NVD CVSS vectors indicate a high impact (CVSSv3.1: 8.8, HIGH; network attack, low complexity, no...
CVE-2022-27421
CVE-2022-27421 affects Chamilo LMS v1.11.13. The issue is a lack of validation on the user modification form, which allows an attacker to escalate privileges to Platform Admin. Affected component is the user modification flow; root cause is insufficient input validation. Impact per sources: privi...
CVE-2022-27423
CVE-2022-27423 affects Chamilo LMS v1.11.13, exposing a SQL injection vulnerability via the blog_id parameter in /blog/blog.php. Public sources in the connected set confirm an injection flaw without detailing exploit vectors. The NVD entry lists CVSS 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (base ...
CVE-2019-13082
Chamilo LMS 1.11.8 and 2.x are affected by a remote code execution vulnerability in an unauthenticated ZIP upload path (lp_upload.php). The CAUSES: archives are extracted before content checking, and after extraction there is no recursive verification of files, allowing a crafted ZIP that contain...
CVE-2021-37391
Summary: CVE-2021-37391 affects Chamilo LMS 1.11.14, with a stored XSS in the social/invite flow. A user without privileges can send an invitation via main/social/search.php and main/inc/lib/social.lib.php, enabling an attacker to steal cookies or execute arbitrary code on the administration side...
CVE-2013-6787
Chamilo LMS 1.9.6 and earlier is affected by an SQL injection in the /main/auth/profile.php flow, caused by insufficient validation of the password0 POST parameter in the check_user_password function. When the installation uses non-encrypted passwords (Encryption method set to none), a remote aut...
CVE-2023-34962
CVE-2023-34962 affects Chamilo LMS v1.11.x up to v1.11.18, where an incorrect access control allowed a student to arbitrarily access and modify another student’s personal notes. The issue is documented across multiple feeds (NVD, Red Hat, OSV, CVE List, etc.) with a high impact (C/H/I/H; CVSS 3.1...
CVE-2021-35413
CVE-2021-35413 affects Chamilo LMS v1.11.x. The vulnerability is in course_intro_pdf_import.php and allows an authenticated attacker to run arbitrary code via a crafted .htaccess file. Reported impact is remote code execution with high severity (CVSS v3.1: C:H, I:H, A:H; network vector; PR: Low; ...
CVE-2022-27422
Chamilo LMS v1.11.13 is affected by a reflected cross-site scripting (XSS) vulnerability that enables attackers to run arbitrary web scripts or HTML when a user interacts with a crafted URL. According to the sources, the issue arises from user interaction with specially crafted input, enabling sc...
CVE-2021-37390
CVE-2021-37390 affects Chamilo LMS 1.11.14, where a reflected XSS vulnerability exists in the social search feature (main/social/search.php?q). The issue stems from input handling in the social/search path, enabling injection that could affect users who load the vulnerable page. Public references...
CVE-2023-4221
Summary: CVE-2023-4221/4222 affect Chamilo LMS up to version 1.11.24. Technical details in connected docs show command injection vulnerabilities in specific PHP classes used for Learning Paths uploads: main/lp/openoffice_presentation.class.php (CVE-2023-4221) and main/lp/openoffice_text_document....
CVE-2018-1999019
CVE-2018-1999019 concerns Chamilo LMS 11.x, where an Unserialization vulnerability in the GET parameter "hash" of the /webservices/api/v2.php endpoint enables unauthenticated remote code execution. The issue can be exploited with a simple GET request to the API. The vulnerability appears fixed af...
CVE-2024-30617
Chamilo LMS 1.11.26 is affected by a Cross-Site Request Forgery (CSRF) vulnerability affecting the /main/social/home.php endpoint, enabling an attacker to cause a user to post a fake update on their social wall without consent. The issue is documented across multiple feeds (NVD, Red Hat, OSV) wit...
CVE-2024-30619
Chamilo LMS 1.11.26 is affected by an Incorrect Access Control vulnerability (CVE-2024-30619). According to Red Hat and NVD entries, an unauthenticated attacker can query message and online-user counts via two AJAX endpoints: /main/inc/ajax/message.ajax.php?a=get_count_message and /main/inc/ajax/...
CVE-2024-51142
CVE-2024-51142 : Concrete details across sources show a Cross Site Scripting vulnerability in Chamilo LMS v1.11.26, exploitable via the svkey parameter of storageapi.php. The underlying issue is XSS that can allow an attacker to execute arbitrary code. Affected software is Chamilo LMS 1.11.26 (st...
CVE-2024-30618
CVE-2024-30618 is a Stored XSS in Chamilo LMS 1.11.26 triggered by a malicious payload in the content parameter of group_topics.php. Impact is to execute JavaScript in a victim’s browser (confidentiality/integrity) with network access and user interaction required. Root cause is insufficient inpu...
CVE-2023-31805
CVE-2023-31805 affects Chamilo Lms 1.11.18. A local authenticated attacker can execute arbitrary code via the homepage function due to a Cross Site Scripting vulnerability. The issue is documented across multiple feeds; exploitation status is not provided in the sources. Remediation, when availab...
CVE-2023-31806
CVE-2023-31806 : Chamilo LMS v1.11.18 contains a Cross Site Scripting (XSS) vulnerability in the My Progress function that can allow a local attacker to execute arbitrary code through a crafted payload. The issue is described across multiple sources in the connected documents with the same underl...
CVE-2023-31800
CVE-2023-31800 : Chamilo LMS version 1.11.18 is affected by a Cross Site Scripting (XSS) vulnerability in the forum title parameter that could allow a local attacker to execute arbitrary code. The provided connected documents confirm the affected product/version and the vulnerable parameter but d...
CVE-2021-35414
CVE-2021-35414 (Chamilo LMS) affects Chamilo LMS v1.11.x via a SQL injection in the file path main/plagiarism/compilatio/upload.php, exploited through the doc parameter. The vulnerability originates from an unsafely handled parameter leading to a SQL injection vulnerability in a module related to...
CVE-2024-30616
CVE-2024-30616 affects Chamilo LMS 1.11.26, with Incorrect Access Control exposed at main/auth/profile. Non-admins can manipulate sensitive profile information, risking data integrity. Connected sources indicate a vendor fix is available and recommend updating Chamilo LMS (1.11.x) to a version co...
CVE-2018-20329
CVE-2018-20329 affects Chamilo LMS v1.11.8. The vulnerability is an SQL injection in main/inc/lib/CoursesAndSessionsCatalog.class.php, exploitable by users with access to the sessions catalogue (which may be public). The attacker can extract and/or modify database information. The connected docum...
CVE-2019-1000015
Chamilo LMS (version 1.11.8 and earlier) contains a Cross Site Scripting (XSS) vulnerability in main/messages/new_message.php, main/social/personal_data.php, main/inc/lib/TicketManager.php, and main/ticket/ticket_details.php. The issue can cause a message to be sent to the Administrator with an X...
CVE-2023-31803
CVE-2023-31803 affects Chamilo Lms v1.11.18. The vulnerability is a Cross Site Scripting (XSS) flaw in the resource sequencing parameters that could allow a local attacker to execute arbitrary code. According to the connected documents, the CVSS v3.1 base score is 4.8 (Medium) with AV:N, AC:L, PR...
CVE-2023-31807
CVE-2023-31807 affects Chamilo LMS up to v1.11.18. A cross-site scripting vulnerability in the Personal Notes feature can be triggered by a crafted payload, reportedly allowing a local attacker to execute arbitrary code. The available connected documents consistently describe the same issue but d...
CVE-2023-39582
The CVE-2023-39582 entry concerns Chamilo LMS versions 1.11 through 1.11.20 and describes a SQL Injection vulnerability in the import sessions functionality that could allow a remote privileged attacker to obtain sensitive information. The related connected documents consistently identify the aff...
CVE-2018-20327
Chamilo LMS 1.11.8 is affected by a cross-site scripting (XSS) vulnerability in main/template/default/admin/gradebook_list.tpl within the gradebook dependencies tool. The issue allows authenticated users to affect other users under specific administrator-granted permissions. The connected sources...
CVE-2023-31801
CVE-2023-31801 concerns Chamilo LMS v1.11.18, where a Cross-Site Scripting (XSS) vulnerability exists in the skills wheel parameter. The authenticated or local attacker can trigger script execution, potentially compromising user sessions or executing arbitrary code, as described in multiple sourc...
CVE-2023-31804
CVE-2023-31804 affects Chamilo Lms 1.11.18. The issue is a Cross Site Scripting vulnerability in the course category parameters, enabling a local attacker to execute arbitrary code (per the CVE description). The available sources consistently identify Chamilo LMS v1.11.18 as vulnerable; no explic...
CVE-2024-27524
CVE-2024-27524 and CVE-2024-27525 describe Cross Site Scripting in Chamilo LMS v1.11.26. CVE-2024-27524 impacts the new_ticket.php component via a crafted script in the filename parameter; CVE-2024-27525 affects the home.php component via a crafted script in the filename parameter. Root cause: XS...
CVE-2019-1000017
Chamilo LMS (Chamilo-lms) versions 1.11.8 and earlier are affected by an Incorrect Access Control vulnerability in the Tickets component. An authenticated user can read all tickets on the platform due to missing access restrictions, exploitable via the ticket_id parameter. The issue has been fixe...
CVE-2020-23126
Chamilo LMS 1.11.10 is affected by an XSS vulnerability in the personal profile edition form. The root cause is insufficient input validation/escaping in profile edit fields, allowing arbitrary script execution in the user's context (including social network friends). Impact is described as XSS; ...
CVE-2023-4223
Technical details for CVE-2023-4223 are not present in the provided documents; related advisories discuss Chamilo file-upload issues but do not provide specifics for this CVE. Monitor for updates.
CVE-2018-20328
Chamilo LMS 1.11.8 contains a cross-site scripting (XSS) vulnerability in main/social/group_view.php within the social groups tool. The issue allows an authenticated user to affect other users under specific permission configurations granted by administrators. The vulnerability is described as lo...
CVE-2021-35415
Chamilo LMS is affected by a stored XSS vulnerability (CVE-2021-35415) where a crafted payload in the course “Title” and “Content” fields can execute arbitrary web scripts/HTML. The issue is described across multiple sources, tying it to unsanitized input in these fields. The available records do...
CVE-2023-4226
CVE-2023-4226 affects Chamilo LMS = 1.11.26 mitigates the issue. The available connected documents provide concrete details on affected location, authentication level, and remediation: upgrade to the patched release, or implement input/file validation and server hardening as described in advisori...
CVE-2024-27525
CVE-2024-27525 is a Cross Site Scripting vulnerability in Chamilo LMS v1.11.26 exposing a privilege-escalation risk via a crafted script in the filename parameter of the home.php component. Multiple sources confirm the issue affects Chamilo LMS 1.11.26 and describe the root cause as XSS through t...
CVE-2023-31802
The provided connected data confirms a Cross Site Scripting (XSS) vulnerability in Chamilo LMS v1.11.18. The issue allows a local attacker to execute arbitrary code via the skype and linedin_url parameters. No explicit root-cause or vulnerable component version details beyond the affected LMS ver...
CVE-2023-31799
The CVE-2023-31799 vulnerability affects Chamilo LMS, specifically version 1.11.18 (and 1.11.x) where the system annnouncements parameter is vulnerable to Cross Site Scripting. The underlying issue allows a local attacker to execute arbitrary code via this parameter. In the provided documents, th...
CVE-2020-23127
CVE-2020-23127 affects Chamilo LMS 1.11.10 with a Cross-Site Request Forgery (CSRF) via the edit_user function targeting an administrator. Connected sources indicate the root cause is insufficient validation of trusted requests in the web application. Reported impact is enabling unauthorized acti...
CVE-2023-4222
CVE-2023-4222 concerns Chamilo LMS versions
CVE-2023-4224
CVE-2023-4224 affects Chamilo LMS up to version 1.11.24, via an unrestricted file upload in /main/inc/ajax/dropbox.ajax.php. Authenticated users with learner role can upload PHP files, enabling remote code execution. The vulnerability is documented in OSV/NVD entries for Chamilo LMS; no additiona...
CVE-2023-4225
Chamilo LMS