CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27421
https://notcve.org/view.php?id=CVE-2022-27421
Chamilo LMS v1.11.13 lacks validation on the user modification form, allowing attackers to escalate privileges to Platform Admin. Chamilo LMS versión v1.11.13, carece de comprobación en el formulario de modificación de usuarios, permitiendo a atacantes escalar privilegios al administrador de la plataforma • https://support.chamilo.org/projects/1/wiki/Security_issues • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27422
https://notcve.org/view.php?id=CVE-2022-27422
A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL. Una vulnerabilidad de tipo cross-site scripting (XSS) reflejado en Chamilo LMS versión v1.11.13, permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de la interacción del usuario con una URL diseñada • https://support.chamilo.org/projects/1/wiki/Security_issues • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-35415
https://notcve.org/view.php?id=CVE-2021-35415
A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields. Una vulnerabilidad de tipo cross-site scripting (XSS) almacenada permite a atacantes ejecutar scripts web o HTML arbitrarios por medio de una carga útil diseñada en los campos "Title" y "Content" del curso • https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#multiple-stored-cross-site-scripting-vulnerabilities https://github.com/chamilo/chamilo-lms/commit/19189a91d1eac9aa204b9439b82e3e73c8ac2e03 https://github.com/chamilo/chamilo-lms/commit/cf84be1ca1d9a08ad1341dfbf8df475b13a89072 https://github.com/chamilo/chamilo-lms/commit/fd54f6194285f949c86060d3b2a7967b43689480 https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-61-2021-05-14-Low-impact-very-low-risk-XSS-in-course-name https://support.chamilo.org/projects/1/wiki • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2021-35414
https://notcve.org/view.php?id=CVE-2021-35414
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php. Se ha detectado que Chamilo LMS versión v1.11.x, contiene una inyección SQL por medio del parámetro doc en el archivo main/plagiarism/compilatio/upload.php • https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#unauthenticated-sql-injection-2-in-plugin https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#unauthenticated-sql-injection-in-compilatio-module https://github.com/chamilo/chamilo-lms/commit/36149c1ff99973840a809bb865f23e1b23d6df00 https://github.com/chamilo/chamilo-lms/commit/6a98e32bb04aa66cbd0d29ad74d7d20cc7e7e9c5 https://github.com/chamilo/chamilo-lms/commit/f398b5b45c019f873a54fe25c815dbaaf963728b https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-59-2021& • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2021-35413
https://notcve.org/view.php?id=CVE-2021-35413
A remote code execution (RCE) vulnerability in course_intro_pdf_import.php of Chamilo LMS v1.11.x allows authenticated attackers to execute arbitrary code via a crafted .htaccess file. Una vulnerabilidad de ejecución de código remota (RCE) en el archivo course_intro_pdf_import.php de Chamilo LMS versión v1.11.x, permite a atacantes autenticados ejecutar código arbitrario por medio de un archivo .htaccess diseñado • https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#authenticated-remote-code-execution-in-import-file https://github.com/chamilo/chamilo-lms/commit/2e5c004b57d551678a1815500ef91524ba7bb757 https://github.com/chamilo/chamilo-lms/commit/905a21037ebc9bc5369f0fb380177cb56f496f5c https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-66-2021-05-21-High-impact-very-low-risk-Authenticated-RCE-in-accessory-script • CWE-862: Missing Authorization •