CVE-2019-13082
https://notcve.org/view.php?id=CVE-2019-13082
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php file in a folder and then this folder in a ZIP archive, the server will accept this file without any checks. Because one can access this file from the website, it is remote code execution. This is related to a scorm imsmanifest.xml file, the import_package function, and extraction in $courseSysDir. • https://0xecute.com/?p=32 https://support.chamilo.org/projects/1/wiki/Security_issues • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2019-1000017
https://notcve.org/view.php?id=CVE-2019-1000017
Chamilo Chamilo-lms version 1.11.8 and earlier contains an Incorrect Access Control vulnerability in Tickets component that can result in an authenticated user can read all tickets available on the platform, due to lack of access controls. This attack appears to be exploitable via ticket_id=[ticket number]. This vulnerability appears to have been fixed in 1.11.x after commit 33e2692a37b5b6340cf5bec1a84e541460983c03. Chamilo Chamilo-lms, en versiones 1.11.8 y anteriores, contiene una vulnerabilidad de control de acceso incorrecto en el componente Tickets que puede resultar en que un usuario autenticado pueda leer todos los tickets disponibles en la plataforma debido a la falta de control de acceso. Este ataque parece ser explotable mediante ticket_id=[ticket number]. • https://github.com/chamilo/chamilo-lms/commit/33e2692a37b5b6340cf5bec1a84e541460983c03 https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-34-2019-01-14-Moderate-risk-moderate-impact-XSS-and-unauthorized-access • CWE-862: Missing Authorization •
CVE-2019-1000015
https://notcve.org/view.php?id=CVE-2019-1000015
Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in main/messages/new_message.php, main/social/personal_data.php, main/inc/lib/TicketManager.php, main/ticket/ticket_details.php that can result in a message being sent to the Administrator with the XSS to steal cookies. A ticket can be created with a XSS payload in the subject field. This attack appears to be exploitable via <svg/onload=alert(1)> as the payload user on the Subject field. This makes it possible to obtain the cookies of all users that have permission to view the tickets. This vulnerability appears to have been fixed in 1.11.x after commit 33e2692a37b5b6340cf5bec1a84e541460983c03. • https://github.com/chamilo/chamilo-lms/commit/33e2692a37b5b6340cf5bec1a84e541460983c03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20327
https://notcve.org/view.php?id=CVE-2018-20327
Chamilo LMS version 1.11.8 contains XSS in main/template/default/admin/gradebook_list.tpl in the gradebook dependencies tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. This is considered "low risk" due to the nature of the feature it exploits. Chamilo LMS 1.11.8 contiene Cross-Site Scripting (XSS) en main/template/default/admin/gradebook_list.tpl en la herramienta de dependencias del gradebook, lo que permite que usuarios autenticados afecten a otros usuarios en condiciones específicas de permisos otorgados por los administradores. Se considera que esto tiene un "riesgo bajo" debido a la naturaleza de la característica que explota. • https://github.com/chamilo/chamilo-lms/commit/814049e5bd5317d761dda0ebbbc519cb2a64ab6c https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-32-2018-11-28-Low-risk-More-XSS-and-path-disclosure-issues • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-20329
https://notcve.org/view.php?id=CVE-2018-20329
Chamilo LMS version 1.11.8 contains a main/inc/lib/CoursesAndSessionsCatalog.class.php SQL injection, allowing users with access to the sessions catalogue (which may optionally be made public) to extract and/or modify database information. Chamilo LMS 1.11.8 contiene una inyección SQL en main/inc/lib/CoursesAndSessionsCatalog.class.php, lo que permite que usuarios con acceso al catálogo de sesiones (que podría hacerse público de forma opcional) extraigan y/o modifiquen la información de la base de datos. • https://github.com/chamilo/chamilo-lms/commit/bfa1eccfabb457b800618d9d115f12dc614a55df https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-33-2018-12-13-Moderate-risk-high-impact-SQL-Injection • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •