Chamilo : Security Vulnerabilities, CVEs,
SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.
Max CVSS
4.9
EPSS Score
0.06%
Published
2023-09-01
Updated
2023-09-06
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.
Max CVSS
4.8
EPSS Score
0.05%
Published
2023-07-07
Updated
2023-07-13
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.
Max CVSS
4.8
EPSS Score
0.05%
Published
2023-07-07
Updated
2023-07-13
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.
Max CVSS
4.8
EPSS Score
0.05%
Published
2023-07-07
Updated
2023-07-13
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.
Max CVSS
4.8
EPSS Score
0.05%
Published
2023-07-07
Updated
2023-07-13
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.
Max CVSS
4.8
EPSS Score
0.05%
Published
2023-07-07
Updated
2023-07-12
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the course categories' definition.
Max CVSS
4.8
EPSS Score
0.05%
Published
2023-07-07
Updated
2023-07-12
Chamilo 1.11.x up to 1.11.20 allows users with an admin privilege account to insert XSS in the languages management section.
Max CVSS
4.8
EPSS Score
0.05%
Published
2023-07-07
Updated
2023-07-12
Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a student to arbitrarily access and modify another student's personal notes.
Max CVSS
8.1
EPSS Score
0.06%
Published
2023-06-08
Updated
2023-06-15
Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the /feedback/comment field.
Max CVSS
6.1
EPSS Score
0.05%
Published
2023-06-08
Updated
2023-06-15
CVE-2023-34960
Public exploit
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
Max CVSS
9.8
EPSS Score
93.54%
Published
2023-08-01
Updated
2023-08-24
An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the social and links tools.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-06-08
Updated
2023-06-15
Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID.
Max CVSS
4.3
EPSS Score
0.05%
Published
2023-06-08
Updated
2023-06-15
An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file.
Max CVSS
9.8
EPSS Score
0.09%
Published
2023-06-13
Updated
2023-06-20
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the personal notes function.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the My Progress function.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local authenticated attacker to execute arbitrary code via the homepage function.
Max CVSS
4.8
EPSS Score
0.04%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the resource sequencing parameters.
Max CVSS
4.8
EPSS Score
0.04%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skills wheel parameter.
Max CVSS
6.1
EPSS Score
0.05%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter.
Max CVSS
5.4
EPSS Score
0.04%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the system annnouncements parameter.
Max CVSS
4.8
EPSS Score
0.04%
Published
2023-05-09
Updated
2023-05-12
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
Max CVSS
8.8
EPSS Score
0.29%
Published
2023-11-28
Updated
2023-11-30
Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
Max CVSS
8.8
EPSS Score
0.29%
Published
2023-11-28
Updated
2023-11-30