Total
51 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-34962 | 1 Chamilo | 1 Chamilo Lms | 2025-01-06 | N/A | 8.1 HIGH |
| Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a student to arbitrarily access and modify another student's personal notes. | |||||
| CVE-2023-4226 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | N/A | 8.8 HIGH |
| Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | |||||
| CVE-2023-4225 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | N/A | 8.8 HIGH |
| Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | |||||
| CVE-2023-4224 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | N/A | 8.8 HIGH |
| Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | |||||
| CVE-2023-4223 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | N/A | 8.8 HIGH |
| Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | |||||
| CVE-2023-4222 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | N/A | 7.2 HIGH |
| Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters. | |||||
| CVE-2023-4221 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | N/A | 7.2 HIGH |
| Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters. | |||||
| CVE-2023-4220 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | N/A | 8.1 HIGH |
| Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell. | |||||
| CVE-2023-39582 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | N/A | 4.9 MEDIUM |
| SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions. | |||||
| CVE-2023-34944 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | N/A | 9.8 CRITICAL |
| An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file. | |||||
| CVE-2022-27426 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the internal network and execute arbitrary system commands via a crafted Phar file. | |||||
| CVE-2022-27423 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php. | |||||
| CVE-2022-27422 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL. | |||||
| CVE-2022-27421 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| Chamilo LMS v1.11.13 lacks validation on the user modification form, allowing attackers to escalate privileges to Platform Admin. | |||||
| CVE-2021-37391 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
| A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature. | |||||
| CVE-2021-37390 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature). | |||||
| CVE-2021-35415 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 3.5 LOW | 4.8 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields. | |||||
| CVE-2021-35414 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php. | |||||
| CVE-2021-35413 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 6.0 MEDIUM | 8.8 HIGH |
| A remote code execution (RCE) vulnerability in course_intro_pdf_import.php of Chamilo LMS v1.11.x allows authenticated attackers to execute arbitrary code via a crafted .htaccess file. | |||||
| CVE-2020-23128 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 4.0 MEDIUM | 4.9 MEDIUM |
| Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege. | |||||