CVSS: 6.5EPSS: 1%CPEs: 1EXPL: 1CVE-2021-32925
https://notcve.org/view.php?id=CVE-2021-32925
13 May 2021 — admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. el archivo admin/user_import.php en Chamilo versión 1.11.x, lee datos XML sin deshabilitar la capacidad de cargar entidades externas • https://github.com/andrejspuler/writeups/blob/main/chamilo-lms/README.md#authenticated-rcelfi-in-user-import-via-xml-external-entity---cve-2021-32925 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.2EPSS: 8%CPEs: 1EXPL: 2CVE-2021-31933 – Chamilo LMS 1.11.14 - Remote Code Execution (Authenticated)
https://notcve.org/view.php?id=CVE-2021-31933
30 Apr 2021 — A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution. Se presenta una vulnerabilidad de ejecución de código remota en Chamilo version... • https://www.exploit-db.com/exploits/49867 • CWE-706: Use of Incorrectly-Resolved Name or Reference •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-26746
https://notcve.org/view.php?id=CVE-2021-26746
19 Feb 2021 — Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI. Chamilo versión 1.11.14, permite un ataque de tipo XSS por medio de un URI main/calendar/agenda_list.php?type= • https://github.com/chamilo/chamilo-lms/commit/d939402d83bf68af5377b629883d8e5437d843ec • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0739
https://notcve.org/view.php?id=CVE-2013-0739
30 Jan 2020 — Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script. Chamilo versión 1.9.4, presenta una vulnerabilidad de tipo XSS debido a una comprobación inapropiada de la entrada suministrada por el usuario mediante el script chat.php. • http://www.securityfocus.com/bid/58735 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-0738
https://notcve.org/view.php?id=CVE-2013-0738
30 Jan 2020 — Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php. Chamilo versión 1.9.4, presenta Múltiples Vulnerabilidades de Inyección XSS y HTML: en los archivos blog.php y announcements.php. • http://www.securityfocus.com/bid/58735 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2012-4029 – Chamilo 1.8.8.4 XSS / File Deletion
https://notcve.org/view.php?id=CVE-2012-4029
27 Aug 2012 — Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action. Una vulnerabilidad de tipo cross-site scripting (XSS) en el archivo main/dropbox/index.php en Chamilo LMS versiones anteriores a 1.8.8.6, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del parámetro category_name en una acción addsentcategory. Chamilo version 1... • http://support.chamilo.org/attachments/download/2863/chamilo-1.8.8.4-to-1.8.8.6.patch • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •