Filtered by vendor Chamilo
Subscribe
Total
66 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2020-23126 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Chamilo LMS version 1.11.10 contains an XSS vulnerability in the personal profile edition form, affecting the user him/herself and social network friends. | |||||
CVE-2021-35414 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php. | |||||
CVE-2021-35413 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 6.0 MEDIUM | 8.8 HIGH |
A remote code execution (RCE) vulnerability in course_intro_pdf_import.php of Chamilo LMS v1.11.x allows authenticated attackers to execute arbitrary code via a crafted .htaccess file. | |||||
CVE-2021-43687 | 1 Chamilo | 1 Chamilo | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie. | |||||
CVE-2020-23128 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 4.0 MEDIUM | 4.9 MEDIUM |
Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege. | |||||
CVE-2021-34187 | 1 Chamilo | 1 Chamilo | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter. | |||||
CVE-2021-31933 | 1 Chamilo | 1 Chamilo | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution. | |||||
CVE-2021-37389 | 1 Chamilo | 1 Chamilo | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter. | |||||
CVE-2021-37390 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature). | |||||
CVE-2020-23127 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
Chamilo LMS 1.11.10 is affected by Cross Site Request Forgery (CSRF) via the edit_user function by targeting an admin user. | |||||
CVE-2021-32925 | 1 Chamilo | 1 Chamilo | 2024-02-04 | 5.5 MEDIUM | 6.5 MEDIUM |
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. | |||||
CVE-2021-37391 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature. | |||||
CVE-2021-26746 | 1 Chamilo | 1 Chamilo | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI. | |||||
CVE-2015-9540 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 5.8 MEDIUM | 6.1 MEDIUM |
Chamilo LMS through 1.9.10.2 allows a link_goto.php?link_url= open redirect, a related issue to CVE-2015-5503. | |||||
CVE-2013-0738 | 1 Chamilo | 1 Chamilo | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php. | |||||
CVE-2013-0739 | 1 Chamilo | 1 Chamilo | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script. | |||||
CVE-2012-4030 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 6.4 MEDIUM | 7.5 HIGH |
Chamilo before 1.8.8.6 does not adequately handle user supplied input by the index.php script, which could allow remote attackers to delete arbitrary files. | |||||
CVE-2012-4029 | 1 Chamilo | 1 Chamilo | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action. | |||||
CVE-2019-13082 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php file in a folder and then this folder in a ZIP archive, the server will accept this file without any checks. Because one can access this file from the website, it is remote code execution. This is related to a scorm imsmanifest.xml file, the import_package function, and extraction in $courseSysDir.$newDir. | |||||
CVE-2018-20327 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
Chamilo LMS version 1.11.8 contains XSS in main/template/default/admin/gradebook_list.tpl in the gradebook dependencies tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits. |