Skip to main content

Chamilo

21 CVEs product

Monthly

CVE-2023-3545 CRITICAL POC PATCH Act Now

Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload RCE Microsoft Apache PHP +1
NVD GitHub
CVSS 3.1
9.8
EPSS
2.0%
CVE-2023-3533 CRITICAL POC PATCH Act Now

Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Path Traversal File Upload RCE PHP +1
NVD GitHub
CVSS 3.1
9.8
EPSS
2.7%
CVE-2023-3368 CRITICAL POC PATCH THREAT Act Now

Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP RCE Command Injection Chamilo
NVD GitHub
CVSS 3.1
9.8
EPSS
68.9%
CVE-2023-39061 LOW Monitor

Cross Site Request Forgery (CSRF) vulnerability in Chamilo v.1.11 thru v.1.11.20 allows a remote authenticated privileged attacker to execute arbitrary code. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF RCE Chamilo
NVD VulDB
CVSS 3.1
3.5
EPSS
0.3%
CVE-2023-34960 CRITICAL POC THREAT Emergency

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 99.4%.

Command Injection Chamilo
NVD
CVSS 3.1
9.8
EPSS
99.4%
Threat
6.4
CVE-2023-37067 MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-37066 MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-37065 MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-37064 MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-37063 MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-37062 MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the course categories' definition. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-37061 MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with an admin privilege account to insert XSS in the languages management section. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
CVSS 3.1
4.8
EPSS
0.4%
CVE-2022-42029 HIGH This Week

Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Chamilo
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2022-40407 HIGH POC This Week

A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Chamilo
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2022-27425 MEDIUM PATCH This Month

Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP XSS Chamilo
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2021-43687 MEDIUM POC PATCH This Month

chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Chamilo
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
1.4%
CVE-2021-37389 MEDIUM POC PATCH This Month

Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP XSS Chamilo
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
CVE-2021-34187 CRITICAL POC PATCH THREAT Act Now

main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PHP Chamilo
NVD GitHub
CVSS 3.1
9.8
EPSS
16.2%
CVE-2021-32925 MEDIUM POC PATCH This Month

admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP XXE Chamilo
NVD GitHub
CVSS 3.1
6.5
EPSS
1.9%
CVE-2021-31933 HIGH POC PATCH THREAT This Week

A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal RCE PHP Chamilo
NVD GitHub Exploit-DB
CVSS 3.1
7.2
EPSS
13.9%
CVE-2021-26746 MEDIUM PATCH This Month

Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

PHP XSS Chamilo
NVD GitHub
CVSS 3.1
6.1
EPSS
1.0%
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

File Upload RCE Microsoft +3
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL POC PATCH Act Now

Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Path Traversal File Upload +3
NVD GitHub
EPSS 69% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP RCE Command Injection +1
NVD GitHub
EPSS 0% CVSS 3.5
LOW Monitor

Cross Site Request Forgery (CSRF) vulnerability in Chamilo v.1.11 thru v.1.11.20 allows a remote authenticated privileged attacker to execute arbitrary code. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF RCE Chamilo
NVD VulDB
EPSS 99% 6.4 CVSS 9.8
CRITICAL POC THREAT Emergency

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 99.4%.

Command Injection Chamilo
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the course categories' definition. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Chamilo 1.11.x up to 1.11.20 allows users with an admin privilege account to insert XSS in the languages management section. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Chamilo
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload Chamilo
NVD
EPSS 1% CVSS 8.8
HIGH POC This Week

A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Chamilo
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP XSS Chamilo
NVD
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS PHP Chamilo
NVD GitHub VulDB
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

PHP XSS Chamilo
NVD GitHub
EPSS 16% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SQLi PHP Chamilo
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP XXE Chamilo
NVD GitHub
EPSS 14% CVSS 7.2
HIGH POC PATCH THREAT This Week

A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal RCE PHP +1
NVD GitHub Exploit-DB
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

PHP XSS Chamilo
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy