Chamilo » Chamilo Lms : Security Vulnerabilities, CVEs,
SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.
Max CVSS
4.9
EPSS Score
0.06%
Published
2023-09-01
Updated
2023-09-06
Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a student to arbitrarily access and modify another student's personal notes.
Max CVSS
8.1
EPSS Score
0.06%
Published
2023-06-08
Updated
2023-06-15
Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the /feedback/comment field.
Max CVSS
6.1
EPSS Score
0.05%
Published
2023-06-08
Updated
2023-06-15
An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the social and links tools.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-06-08
Updated
2023-06-15
Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID.
Max CVSS
4.3
EPSS Score
0.05%
Published
2023-06-08
Updated
2023-06-15
An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file.
Max CVSS
9.8
EPSS Score
0.09%
Published
2023-06-13
Updated
2023-06-20
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the personal notes function.
Max CVSS
5.4
EPSS Score
0.06%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the My Progress function.
Max CVSS
5.4
EPSS Score
0.06%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local authenticated attacker to execute arbitrary code via the homepage function.
Max CVSS
4.8
EPSS Score
0.06%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters.
Max CVSS
5.4
EPSS Score
0.06%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the resource sequencing parameters.
Max CVSS
4.8
EPSS Score
0.06%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters.
Max CVSS
5.4
EPSS Score
0.06%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skills wheel parameter.
Max CVSS
6.1
EPSS Score
0.06%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter.
Max CVSS
5.4
EPSS Score
0.06%
Published
2023-05-09
Updated
2023-05-12
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the system annnouncements parameter.
Max CVSS
4.8
EPSS Score
0.06%
Published
2023-05-09
Updated
2023-05-12
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
Max CVSS
8.8
EPSS Score
0.29%
Published
2023-11-28
Updated
2023-11-30
Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
Max CVSS
8.8
EPSS Score
0.29%
Published
2023-11-28
Updated
2023-11-30
Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
Max CVSS
8.8
EPSS Score
0.29%
Published
2023-11-28
Updated
2023-11-30
Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
Max CVSS
8.8
EPSS Score
0.29%
Published
2023-11-28
Updated
2023-11-30
Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.
Max CVSS
8.8
EPSS Score
0.23%
Published
2023-11-28
Updated
2023-11-30
Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.
Max CVSS
8.8
EPSS Score
0.23%
Published
2023-11-28
Updated
2023-11-30
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
Max CVSS
8.1
EPSS Score
0.16%
Published
2023-11-28
Updated
2023-12-04
A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the internal network and execute arbitrary system commands via a crafted Phar file.
Max CVSS
8.8
EPSS Score
0.10%
Published
2022-04-15
Updated
2022-04-25
Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php.
Max CVSS
9.8
EPSS Score
0.14%
Published
2022-04-15
Updated
2022-04-25
A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL.
Max CVSS
6.1
EPSS Score
0.07%
Published
2022-04-15
Updated
2022-04-25