Vulnerabilities (CVE)

Filtered by vendor Chamilo Subscribe
Total 66 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-23126 1 Chamilo 1 Chamilo Lms 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
Chamilo LMS version 1.11.10 contains an XSS vulnerability in the personal profile edition form, affecting the user him/herself and social network friends.
CVE-2021-35414 1 Chamilo 1 Chamilo Lms 2024-02-04 7.5 HIGH 9.8 CRITICAL
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.
CVE-2021-35413 1 Chamilo 1 Chamilo Lms 2024-02-04 6.0 MEDIUM 8.8 HIGH
A remote code execution (RCE) vulnerability in course_intro_pdf_import.php of Chamilo LMS v1.11.x allows authenticated attackers to execute arbitrary code via a crafted .htaccess file.
CVE-2021-43687 1 Chamilo 1 Chamilo 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.
CVE-2020-23128 1 Chamilo 1 Chamilo Lms 2024-02-04 4.0 MEDIUM 4.9 MEDIUM
Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege.
CVE-2021-34187 1 Chamilo 1 Chamilo 2024-02-04 7.5 HIGH 9.8 CRITICAL
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
CVE-2021-31933 1 Chamilo 1 Chamilo 2024-02-04 6.5 MEDIUM 7.2 HIGH
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.
CVE-2021-37389 1 Chamilo 1 Chamilo 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter.
CVE-2021-37390 1 Chamilo 1 Chamilo Lms 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature).
CVE-2020-23127 1 Chamilo 1 Chamilo Lms 2024-02-04 6.8 MEDIUM 8.8 HIGH
Chamilo LMS 1.11.10 is affected by Cross Site Request Forgery (CSRF) via the edit_user function by targeting an admin user.
CVE-2021-32925 1 Chamilo 1 Chamilo 2024-02-04 5.5 MEDIUM 6.5 MEDIUM
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities.
CVE-2021-37391 1 Chamilo 1 Chamilo Lms 2024-02-04 3.5 LOW 5.4 MEDIUM
A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature.
CVE-2021-26746 1 Chamilo 1 Chamilo 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI.
CVE-2015-9540 1 Chamilo 1 Chamilo Lms 2024-02-04 5.8 MEDIUM 6.1 MEDIUM
Chamilo LMS through 1.9.10.2 allows a link_goto.php?link_url= open redirect, a related issue to CVE-2015-5503.
CVE-2013-0738 1 Chamilo 1 Chamilo 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php.
CVE-2013-0739 1 Chamilo 1 Chamilo 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script.
CVE-2012-4030 1 Chamilo 1 Chamilo Lms 2024-02-04 6.4 MEDIUM 7.5 HIGH
Chamilo before 1.8.8.6 does not adequately handle user supplied input by the index.php script, which could allow remote attackers to delete arbitrary files.
CVE-2012-4029 1 Chamilo 1 Chamilo 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action.
CVE-2019-13082 1 Chamilo 1 Chamilo Lms 2024-02-04 7.5 HIGH 9.8 CRITICAL
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php file in a folder and then this folder in a ZIP archive, the server will accept this file without any checks. Because one can access this file from the website, it is remote code execution. This is related to a scorm imsmanifest.xml file, the import_package function, and extraction in $courseSysDir.$newDir.
CVE-2018-20327 1 Chamilo 1 Chamilo Lms 2024-02-04 3.5 LOW 5.4 MEDIUM
Chamilo LMS version 1.11.8 contains XSS in main/template/default/admin/gradebook_list.tpl in the gradebook dependencies tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits.