CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37064
https://notcve.org/view.php?id=CVE-2023-37064
07 Jul 2023 — Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section. • https://github.com/chamilo/chamilo-lms/commit/91ecc6141de6de9483c5a31fbb9fa91450f24940 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37065
https://notcve.org/view.php?id=CVE-2023-37065
07 Jul 2023 — Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section. • https://github.com/chamilo/chamilo-lms/commit/da61f287d2e508a5e940953b474051d0f21e91c0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27425
https://notcve.org/view.php?id=CVE-2022-27425
15 Apr 2022 — Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php. Se ha detectado que Chamilo LMS versión v1.11.13, contiene una vulnerabilidad de tipo cross-site scripting (XSS) por medio del componente /blog/blog.php • https://support.chamilo.org/projects/1/wiki/Security_issues • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-40662
https://notcve.org/view.php?id=CVE-2021-40662
21 Mar 2022 — A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL. Una vulnerabilidad de tipo Cross-Site Request Forgery (CSRF) en Chamilo LMS versión 1.11.14, permite a atacantes ejecutar comandos arbitrarios en hosts víctimas por medio de una interacción del usuario con una URL diseñada • https://febin0x4e4a.wordpress.com/2022/03/22/cve-2021-40662-chamilo-lms-1-11-14-rce • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-38745
https://notcve.org/view.php?id=CVE-2021-38745
21 Mar 2022 — Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page. Se ha detectado que Chamilo LMS versión v1.11.14, contiene una vulnerabilidad de inyección de código de cero clicks que permite a atacantes ejecutar código arbitrario por medio de un plugin diseñado. Esta vulnerabilidad es desencadenada mediante una interacción... • https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues#Issue-81-2021-07-26-High-impact-Low-risk-Zero-Code-RCE-in-admin • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43687
https://notcve.org/view.php?id=CVE-2021-43687
01 Dec 2021 — chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie. chamilo-lms versión v1.11.14, está afectado por una vulnerabilidad de tipo Cross Site Scripting (XSS) en el archivo /plugin/jcapture/applet.php si un atacante pasa un mensaje hex2bin en la cookie • http://chamilo-lms.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-37389
https://notcve.org/view.php?id=CVE-2021-37389
10 Aug 2021 — Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter. Chamilo versión 1.11.14, permite un ataque de tipo XSS almacenado por medio de los archivos main/install/index.php y main/install/ajax.php mediante el parámetro port • https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-34187
https://notcve.org/view.php?id=CVE-2021-34187
28 Jun 2021 — main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter. Un archivo main/inc/ajax/model.ajax.php en Chamilo versiones hasta 1.11.14, permite una inyección SQL por medio de los parámetros searchField, filters o filters2 • https://github.com/chamilo/chamilo-lms/commit/005dc8e9eccc6ea35264064ae09e2e84af8d5b59 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 1CVE-2021-32925
https://notcve.org/view.php?id=CVE-2021-32925
13 May 2021 — admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. el archivo admin/user_import.php en Chamilo versión 1.11.x, lee datos XML sin deshabilitar la capacidad de cargar entidades externas • https://github.com/andrejspuler/writeups/blob/main/chamilo-lms/README.md#authenticated-rcelfi-in-user-import-via-xml-external-entity---cve-2021-32925 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.2EPSS: 8%CPEs: 1EXPL: 2CVE-2021-31933 – Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2021-31933
30 Apr 2021 — A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution. Se presenta una vulnerabilidad de ejecución de código remota en Chamilo version... • https://www.exploit-db.com/exploits/49867 • CWE-706: Use of Incorrectly-Resolved Name or Reference •