CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-37390
https://notcve.org/view.php?id=CVE-2021-37390
10 Aug 2021 — A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature). Se presenta una vulnerabilidad de tipo XSS reflejado en Chamilo LMS versión 1.11.14, en la función main/social/search.php=q URI (funcionalidad de búsqueda en redes sociales) • https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 2CVE-2021-37391 – Chamilo LMS 1.11.14 - Account Takeover
https://notcve.org/view.php?id=CVE-2021-37391
10 Aug 2021 — A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature. Un usuario sin privilegios en Chamilo LMS versión 1.11.14, puede enviar un mensaje de invitación a otro usuario, por ejemplo, el administrador, mediante los archivos main/social/se... • https://www.exploit-db.com/exploits/50694 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1000017
https://notcve.org/view.php?id=CVE-2019-1000017
04 Feb 2019 — Chamilo Chamilo-lms version 1.11.8 and earlier contains an Incorrect Access Control vulnerability in Tickets component that can result in an authenticated user can read all tickets available on the platform, due to lack of access controls. This attack appears to be exploitable via ticket_id=[ticket number]. This vulnerability appears to have been fixed in 1.11.x after commit 33e2692a37b5b6340cf5bec1a84e541460983c03. Chamilo Chamilo-lms, en versiones 1.11.8 y anteriores, contiene una vulnerabilidad de contro... • https://github.com/chamilo/chamilo-lms/commit/33e2692a37b5b6340cf5bec1a84e541460983c03 • CWE-862: Missing Authorization •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1000015
https://notcve.org/view.php?id=CVE-2019-1000015
04 Feb 2019 — Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in main/messages/new_message.php, main/social/personal_data.php, main/inc/lib/TicketManager.php, main/ticket/ticket_details.php that can result in a message being sent to the Administrator with the XSS to steal cookies. A ticket can be created with a XSS payload in the subject field. This attack appears to be exploitable via
CVSS: 9.8EPSS: 1%CPEs: 20EXPL: 0CVE-2018-1999019
https://notcve.org/view.php?id=CVE-2018-1999019
23 Jul 2018 — Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can result in Unauthenticated remote code execution. This attack appear to be exploitable via a simple GET request to the api endpoint. This vulnerability appears to have been fixed in After commit 0de84700648f098c1fbf6b807dee28ec640efe62. Chamilo LMS en versiones 11.x contiene una vulnerabilidad de deserialización en el parámetro GET "hash" para el endp... • https://github.com/chamilo/chamilo-lms/commit/0de84700648f098c1fbf6b807dee28ec640efe62 • CWE-94: Improper Control of Generation of Code ('Code Injection') •