Skip to main content

Chamilo CVE-2023-37066

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2023-07-07 cve@mitre.org
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 07, 2023 - 17:15 nvd
MEDIUM 4.8

DescriptionNVD

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.

AnalysisAI

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel. Affected products include: Chamilo. Version information: up to 1.11.20.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2023-34960 CRITICAL POC
9.8 Aug 01

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to ex

CVE-2023-3545 CRITICAL POC
9.8 Nov 28

Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installation

CVE-2023-3533 CRITICAL POC
9.8 Nov 28

Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20

CVE-2023-3368 CRITICAL POC
9.8 Nov 28

Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated at

CVE-2021-34187 CRITICAL POC
9.8 Jun 28

main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 p

CVE-2022-40407 HIGH POC
8.8 Sep 29

A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a c

CVE-2021-31933 HIGH POC
7.2 Apr 30

A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a paramete

CVE-2021-32925 MEDIUM POC
6.5 May 13

admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. Rated me

CVE-2021-43687 MEDIUM POC
6.1 Dec 01

chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an atta

CVE-2021-37389 MEDIUM POC
6.1 Aug 10

Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter. Rated

CVE-2022-42029 HIGH
8.8 Oct 17

Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with

CVE-2022-27425 MEDIUM
6.1 Apr 15

Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.p

Share

CVE-2023-37066 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy