Chamilo Lms
Monthly
{id} endpoint to assign themselves ROLE_ADMIN privileges, bypassing intended access controls. The vulnerability stems from inadequate authorization checks that verify only record ownership without restricting modification of security-critical fields. With CVSS 8.8 (High) and low attack complexity requiring only basic authentication, this represents a critical access control failure in educational platforms. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though the straightforward attack vector makes exploitation trivial for malicious insiders.
Insecure Direct Object Reference in Chamilo LMS /api/course_rel_users endpoint allows authenticated attackers to enroll arbitrary users into any course without authorization (CVSS 7.1, High Integrity impact). Affects all versions prior to 2.0.0-RC.3. The vulnerability enables authenticated users to manipulate user-course relationships by modifying the user parameter in API requests, bypassing enrollment controls entirely. No public exploit code identified at time of analysis, though the attack v
Chamilo LMS versions prior to 2.0.0-RC.3 allow authenticated students to read private course notes of any other user via an Insecure Direct Object Reference (IDOR) vulnerability in the notebook module's editnote action. An attacker can manipulate the notebook_id parameter to bypass ownership checks in the read path (get_note_information()), exposing note titles and HTML body content despite write-path protections existing in updateNote() and delete_note(). The vulnerability requires valid student credentials but impacts confidentiality of sensitive educational materials across the platform.
Stored cross-site scripting (XSS) in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated users to upload malicious HTML files containing JavaScript via the social post attachment API endpoint. The uploaded files are served without sanitization, content-type restrictions, or proper content-disposition headers, causing embedded JavaScript to execute in the browser within the application's trusted origin. This enables session hijacking, account takeover, and privilege escalation attacks, particularly when an administrator views a malicious link. The vulnerability is confirmed fixed in version 2.0.0-RC.3.
Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allow authenticated attackers to read arbitrary server files through XML External Entity (XXE) injection via improper use of simplexml_load_string() with the LIBXML_NOENT flag enabled across multiple application files. The vulnerability requires low-privilege authentication and medium attack complexity but grants high confidentiality impact with no integrity or availability impact; no public exploit code or active exploitation has been identified at the time of analysis.
Chamilo LMS versions prior to 2.0.0-RC.3 allow authenticated students and lower-privileged users to enumerate all platform users and extract sensitive personal information (email addresses, phone numbers, role assignments) through an unauthenticated API endpoint (GET /api/users), enabling reconnaissance of administrator accounts and organizational structure. The vulnerability affects any installation with user accounts below administrative level and is fixed in version 2.0.0-RC.3.
Predictable API key generation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows unauthenticated remote attackers to brute-force valid REST API keys. The md5-based generation algorithm uses a flawed random seed (rand(10000,10000) always returns 10000), reducing the keyspace to md5(timestamp + user_id*5 - 10000). Attackers with knowledge of target usernames and approximate key creation timestamps can enumerate valid API keys through offline computation, enabling unauthorized access to REST API endpoints and confidential data exposure. No public exploit identified at time of analysis.
Chamilo LMS REST API endpoint get_user_info_from_username fails to authorize requests, exposing personal information (email, names, user ID, active status) to any authenticated user regardless of role prior to version 1.11.38. An attacker with valid login credentials, including a student account, can enumerate and retrieve sensitive user data for any account in the system.
Unauthenticated password reset takeover in Chamilo LMS 1.11.x (prior to 1.11.38) and 2.0.0-RC versions (prior to RC.3) allows remote attackers to hijack arbitrary user accounts by computing deterministic reset tokens. The vulnerability stems from insecure token generation using sha1($email) without randomization, expiration, or rate limiting. Attackers knowing a target's email address can directly calculate valid password reset tokens and change account credentials without prior authentication, enabling full account takeover with high confidentiality and integrity impact. No public exploit identified at time of analysis.
Privilege escalation in Chamilo LMS versions prior to 1.11.38 allows any authenticated user with a REST API key to elevate their account status from student (status=5) to teacher/course manager (status=1) by manipulating the status field through the update_user_from_username REST API endpoint. This enables unauthorized course creation and management capabilities. Authentication is required (PR:L), but once exploited, attackers gain high-integrity administrative functions within the learning management system. No public exploit identified at time of analysis.
Chamilo LMS versions prior to 1.11.38 expose Twig template files (.tpl) in the /main/template/default/ directory to unauthenticated HTTP GET requests, allowing remote attackers to disclose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure without authentication. This information disclosure vulnerability has a CVSS score of 5.3 with confirmed patch availability in version 1.11.38.
{userId} endpoint. Attack requires only low-privilege authentication (PR:L) and no user interaction, enabling mass disclosure of credentials and sensitive information across the entire platform. Affects all Chamilo LMS versions prior to 2.0.0-RC.3. No public exploit identified at time of analysis.
Insecure Direct Object Reference in Chamilo LMS REST API stats endpoint allows authenticated low-privilege users to read unauthorized access to any user's learning progress, certificates, and gradebook scores across all courses prior to version 2.0.0-RC.3. The vulnerability requires only valid user credentials (accessible to students with ROLE_USER) and network access, enabling horizontal privilege escalation without administrative intervention or system compromise. No public exploit code or active exploitation has been identified at time of analysis.
Authenticated teachers in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 can access and modify gradebook evaluation settings across unauthorized courses through Insecure Direct Object Reference in the editeval parameter. Attackers with low-privilege teacher accounts can alter evaluation names, maximum scores, and weights for assessments in courses they do not own, enabling unauthorized data disclosure and integrity compromise. No public exploit identified at time of analysis.
Authenticated teachers in Chamilo LMS can delete arbitrary student grades platform-wide through Insecure Direct Object Reference in gradebook result views. By manipulating delete_mark or resultdelete GET parameters, attackers bypass course-scope and ownership controls, enabling unauthorized grade deletion across all courses. Versions prior to 1.11.38 and 2.0.0-RC.3 lack server-side validation. No public exploit identified at time of analysis. CVSS 7.1 (High) reflects authenticated access requirement with high integrity impact and low availability impact.
Reflected XSS in Chamilo LMS exercise admin panel allows authenticated teachers to be tricked into executing arbitrary JavaScript via malicious paginated URLs, affecting versions prior to 2.0.0-RC.3. An attacker can craft a weaponized link containing unencoded query parameters that bypass the pagination mechanism's improper output encoding, potentially leading to session hijacking, credential theft, or unauthorized administrative actions within the learning management system. No public exploit code or active exploitation has been identified at time of analysis.
Server-Side Request Forgery in Chamilo LMS Social Wall feature enables authenticated attackers to force the server to make arbitrary HTTP requests to internal resources. The read_url_with_open_graph endpoint accepts user-controlled URLs via social_wall_new_msg_main POST parameter without validating internal versus external targets, allowing internal port scanning, access to cloud instance metadata (AWS/GCP/Azure), and reconnaissance of private network services. Affects Chamilo LMS versions before 1.11.38 and 2.0.0-RC.3. Attack requires low-privilege authenticated access; no public exploit identified at time of analysis.
Chamilo LMS versions 1.11.34 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page where the keyword parameter is echoed directly into an HTML href attribute without encoding or sanitization. An attacker can inject arbitrary JavaScript by breaking out of the attribute context using a ">" payload, enabling session hijacking, credential theft, or malware distribution to any user who clicks a malicious link. The vulnerability is triggered when pagination controls render for datasets exceeding 20 items, and a patch is available in version 1.11.36.
Authenticated attackers can exploit SQL injection in Chamilo LMS 1.11.34 and earlier through the statistics AJAX endpoint, where insufficient input sanitization allows bypassing of database escaping mechanisms via the date_start and date_end parameters. This vulnerability enables blind time-based SQL injection attacks to extract or manipulate sensitive data from the underlying database. Version 1.11.36 contains the patch; versions 1.11.35 and earlier remain vulnerable.
A security vulnerability in Chamilo LMS (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
An arbitrary file upload vulnerability in Chamilo LMS allows authenticated users with Teacher role to achieve Remote Code Execution by uploading malicious H5P packages. The flaw affects versions prior to 1.11.36 and stems from inadequate validation of H5P package contents, which only checks for h5p.json existence but fails to block .htaccess or PHP files with alternative extensions. With a CVSS score of 8.8 and high exploitation potential, attackers can upload webshells disguised as text files along with .htaccess configurations to bypass security controls.
Unauthenticated SQL injection in Chamilo LMS versions prior to 1.11.34 enables remote attackers to execute arbitrary database queries through the custom_dates parameter and escalate to full administrative account takeover by exploiting a predictable password reset mechanism. This critical vulnerability exposes the entire database including personally identifiable information and system configurations without requiring any credentials or user interaction. No patch is currently available for affected installations.
Authenticated arbitrary code execution in Chamilo LMS versions prior to 1.11.34 allows low-privileged users to bypass file upload restrictions through MIME-type spoofing and execute malicious commands on the server. The vulnerability stems from insufficient validation of file extensions and improper storage restrictions, enabling attackers to upload and execute arbitrary files. No patch is currently available for affected deployments.
Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. [CVSS 4.3 MEDIUM]
Second stored XSS in Chamilo LMS before 1.11.34.
Stored XSS in Chamilo LMS before 1.11.34.
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. [CVSS 8.1 HIGH]
Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. [CVSS 5.4 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. [CVSS 8.8 HIGH]
Stored XSS in Chamilo LMS before 1.11.34 via file uploads in Social Networks. Leads to account takeover.
Chamilo LMS prior to 1.11.30 has an insecure deserialization vulnerability enabling remote code execution through crafted serialized data.
Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to insufficient sanitization of the page parameter in the session/add_users_to_session.php endpoint. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to improper sanitization of the keyword_active parameter in admin/user_list.php. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists in the session_category_add.php script. [CVSS 4.8 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX endpoint. [CVSS 7.1 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. [CVSS 8.8 HIGH]
Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning platform.
Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. [CVSS 4.9 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/admin/sub_language_ajax.inc.php via the POST new_language parameter. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/editinstance.php via the POST main_database parameter. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/cron/lang/check_parse_lang.php. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST to_main_database parameter. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. [CVSS 8.3 HIGH]
Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database extraction vector.
Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. [CVSS 7.2 HIGH]
Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.
Chamilo is a learning management system. [CVSS 8.8 HIGH]
Chamilo is a learning management system. [CVSS 7.2 HIGH]
Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. [CVSS 4.8 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone to send requests to any URL on server's behalf, which results in unauthenticated blind SSRF. [CVSS 5.3 MEDIUM]
Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. [CVSS 7.2 HIGH]
An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. [CVSS 5.5 MEDIUM]
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows an attacker to execute arbitrary code via the svkey parameter of the storageapi.php file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Chamilo LMS Version 1.11.26 is vulnerable to Incorrect Access Control. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A Stored Cross-Site Scripting (XSS) Vulnerability in Chamilo LMS 1.11.26 allows a remote attacker to execute arbitrary JavaScript in a web browser by including a malicious payload in the 'content'. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.26 "/main/social/home.php," allows attackers to initiate a request that posts a fake post onto the user's social wall without. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the home.php component. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available.
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the new_ticket.php component. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available.
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.
An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a student to arbitrarily access and modify another student's personal notes. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.
Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the /feedback/comment field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the personal notes function. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the My Progress function. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local authenticated attacker to execute arbitrary code via the homepage function. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the resource sequencing parameters. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skills wheel parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the system annnouncements parameter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the internal network and execute arbitrary system commands via a crafted Phar file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Chamilo LMS v1.11.13 lacks validation on the user modification form, allowing attackers to escalate privileges to Platform Admin. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.
A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
{id} endpoint to assign themselves ROLE_ADMIN privileges, bypassing intended access controls. The vulnerability stems from inadequate authorization checks that verify only record ownership without restricting modification of security-critical fields. With CVSS 8.8 (High) and low attack complexity requiring only basic authentication, this represents a critical access control failure in educational platforms. No public exploit code or active exploitation (CISA KEV) identified at time of analysis, though the straightforward attack vector makes exploitation trivial for malicious insiders.
Insecure Direct Object Reference in Chamilo LMS /api/course_rel_users endpoint allows authenticated attackers to enroll arbitrary users into any course without authorization (CVSS 7.1, High Integrity impact). Affects all versions prior to 2.0.0-RC.3. The vulnerability enables authenticated users to manipulate user-course relationships by modifying the user parameter in API requests, bypassing enrollment controls entirely. No public exploit code identified at time of analysis, though the attack v
Chamilo LMS versions prior to 2.0.0-RC.3 allow authenticated students to read private course notes of any other user via an Insecure Direct Object Reference (IDOR) vulnerability in the notebook module's editnote action. An attacker can manipulate the notebook_id parameter to bypass ownership checks in the read path (get_note_information()), exposing note titles and HTML body content despite write-path protections existing in updateNote() and delete_note(). The vulnerability requires valid student credentials but impacts confidentiality of sensitive educational materials across the platform.
Stored cross-site scripting (XSS) in Chamilo LMS versions prior to 2.0.0-RC.3 allows authenticated users to upload malicious HTML files containing JavaScript via the social post attachment API endpoint. The uploaded files are served without sanitization, content-type restrictions, or proper content-disposition headers, causing embedded JavaScript to execute in the browser within the application's trusted origin. This enables session hijacking, account takeover, and privilege escalation attacks, particularly when an administrator views a malicious link. The vulnerability is confirmed fixed in version 2.0.0-RC.3.
Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allow authenticated attackers to read arbitrary server files through XML External Entity (XXE) injection via improper use of simplexml_load_string() with the LIBXML_NOENT flag enabled across multiple application files. The vulnerability requires low-privilege authentication and medium attack complexity but grants high confidentiality impact with no integrity or availability impact; no public exploit code or active exploitation has been identified at the time of analysis.
Chamilo LMS versions prior to 2.0.0-RC.3 allow authenticated students and lower-privileged users to enumerate all platform users and extract sensitive personal information (email addresses, phone numbers, role assignments) through an unauthenticated API endpoint (GET /api/users), enabling reconnaissance of administrator accounts and organizational structure. The vulnerability affects any installation with user accounts below administrative level and is fixed in version 2.0.0-RC.3.
Predictable API key generation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 allows unauthenticated remote attackers to brute-force valid REST API keys. The md5-based generation algorithm uses a flawed random seed (rand(10000,10000) always returns 10000), reducing the keyspace to md5(timestamp + user_id*5 - 10000). Attackers with knowledge of target usernames and approximate key creation timestamps can enumerate valid API keys through offline computation, enabling unauthorized access to REST API endpoints and confidential data exposure. No public exploit identified at time of analysis.
Chamilo LMS REST API endpoint get_user_info_from_username fails to authorize requests, exposing personal information (email, names, user ID, active status) to any authenticated user regardless of role prior to version 1.11.38. An attacker with valid login credentials, including a student account, can enumerate and retrieve sensitive user data for any account in the system.
Unauthenticated password reset takeover in Chamilo LMS 1.11.x (prior to 1.11.38) and 2.0.0-RC versions (prior to RC.3) allows remote attackers to hijack arbitrary user accounts by computing deterministic reset tokens. The vulnerability stems from insecure token generation using sha1($email) without randomization, expiration, or rate limiting. Attackers knowing a target's email address can directly calculate valid password reset tokens and change account credentials without prior authentication, enabling full account takeover with high confidentiality and integrity impact. No public exploit identified at time of analysis.
Privilege escalation in Chamilo LMS versions prior to 1.11.38 allows any authenticated user with a REST API key to elevate their account status from student (status=5) to teacher/course manager (status=1) by manipulating the status field through the update_user_from_username REST API endpoint. This enables unauthorized course creation and management capabilities. Authentication is required (PR:L), but once exploited, attackers gain high-integrity administrative functions within the learning management system. No public exploit identified at time of analysis.
Chamilo LMS versions prior to 1.11.38 expose Twig template files (.tpl) in the /main/template/default/ directory to unauthenticated HTTP GET requests, allowing remote attackers to disclose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure without authentication. This information disclosure vulnerability has a CVSS score of 5.3 with confirmed patch availability in version 1.11.38.
{userId} endpoint. Attack requires only low-privilege authentication (PR:L) and no user interaction, enabling mass disclosure of credentials and sensitive information across the entire platform. Affects all Chamilo LMS versions prior to 2.0.0-RC.3. No public exploit identified at time of analysis.
Insecure Direct Object Reference in Chamilo LMS REST API stats endpoint allows authenticated low-privilege users to read unauthorized access to any user's learning progress, certificates, and gradebook scores across all courses prior to version 2.0.0-RC.3. The vulnerability requires only valid user credentials (accessible to students with ROLE_USER) and network access, enabling horizontal privilege escalation without administrative intervention or system compromise. No public exploit code or active exploitation has been identified at time of analysis.
Authenticated teachers in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 can access and modify gradebook evaluation settings across unauthorized courses through Insecure Direct Object Reference in the editeval parameter. Attackers with low-privilege teacher accounts can alter evaluation names, maximum scores, and weights for assessments in courses they do not own, enabling unauthorized data disclosure and integrity compromise. No public exploit identified at time of analysis.
Authenticated teachers in Chamilo LMS can delete arbitrary student grades platform-wide through Insecure Direct Object Reference in gradebook result views. By manipulating delete_mark or resultdelete GET parameters, attackers bypass course-scope and ownership controls, enabling unauthorized grade deletion across all courses. Versions prior to 1.11.38 and 2.0.0-RC.3 lack server-side validation. No public exploit identified at time of analysis. CVSS 7.1 (High) reflects authenticated access requirement with high integrity impact and low availability impact.
Reflected XSS in Chamilo LMS exercise admin panel allows authenticated teachers to be tricked into executing arbitrary JavaScript via malicious paginated URLs, affecting versions prior to 2.0.0-RC.3. An attacker can craft a weaponized link containing unencoded query parameters that bypass the pagination mechanism's improper output encoding, potentially leading to session hijacking, credential theft, or unauthorized administrative actions within the learning management system. No public exploit code or active exploitation has been identified at time of analysis.
Server-Side Request Forgery in Chamilo LMS Social Wall feature enables authenticated attackers to force the server to make arbitrary HTTP requests to internal resources. The read_url_with_open_graph endpoint accepts user-controlled URLs via social_wall_new_msg_main POST parameter without validating internal versus external targets, allowing internal port scanning, access to cloud instance metadata (AWS/GCP/Azure), and reconnaissance of private network services. Affects Chamilo LMS versions before 1.11.38 and 2.0.0-RC.3. Attack requires low-privilege authenticated access; no public exploit identified at time of analysis.
Chamilo LMS versions 1.11.34 and prior contain a Reflected Cross-Site Scripting (XSS) vulnerability in the session category listing page where the keyword parameter is echoed directly into an HTML href attribute without encoding or sanitization. An attacker can inject arbitrary JavaScript by breaking out of the attribute context using a ">" payload, enabling session hijacking, credential theft, or malware distribution to any user who clicks a malicious link. The vulnerability is triggered when pagination controls render for datasets exceeding 20 items, and a patch is available in version 1.11.36.
Authenticated attackers can exploit SQL injection in Chamilo LMS 1.11.34 and earlier through the statistics AJAX endpoint, where insufficient input sanitization allows bypassing of database escaping mechanisms via the date_start and date_end parameters. This vulnerability enables blind time-based SQL injection attacks to extract or manipulate sensitive data from the underlying database. Version 1.11.36 contains the patch; versions 1.11.35 and earlier remain vulnerable.
A security vulnerability in Chamilo LMS (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
An arbitrary file upload vulnerability in Chamilo LMS allows authenticated users with Teacher role to achieve Remote Code Execution by uploading malicious H5P packages. The flaw affects versions prior to 1.11.36 and stems from inadequate validation of H5P package contents, which only checks for h5p.json existence but fails to block .htaccess or PHP files with alternative extensions. With a CVSS score of 8.8 and high exploitation potential, attackers can upload webshells disguised as text files along with .htaccess configurations to bypass security controls.
Unauthenticated SQL injection in Chamilo LMS versions prior to 1.11.34 enables remote attackers to execute arbitrary database queries through the custom_dates parameter and escalate to full administrative account takeover by exploiting a predictable password reset mechanism. This critical vulnerability exposes the entire database including personally identifiable information and system configurations without requiring any credentials or user interaction. No patch is currently available for affected installations.
Authenticated arbitrary code execution in Chamilo LMS versions prior to 1.11.34 allows low-privileged users to bypass file upload restrictions through MIME-type spoofing and execute malicious commands on the server. The vulnerability stems from insufficient validation of file extensions and improper storage restrictions, enabling attackers to upload and execute arbitrary files. No patch is currently available for affected deployments.
Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. [CVSS 4.3 MEDIUM]
Second stored XSS in Chamilo LMS before 1.11.34.
Stored XSS in Chamilo LMS before 1.11.34.
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. [CVSS 8.1 HIGH]
Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. [CVSS 5.4 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. [CVSS 8.8 HIGH]
Stored XSS in Chamilo LMS before 1.11.34 via file uploads in Social Networks. Leads to account takeover.
Chamilo LMS prior to 1.11.30 has an insecure deserialization vulnerability enabling remote code execution through crafted serialized data.
Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to insufficient sanitization of the page parameter in the session/add_users_to_session.php endpoint. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability due to improper sanitization of the keyword_active parameter in admin/user_list.php. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. [CVSS 6.1 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists in the session_category_add.php script. [CVSS 4.8 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, a logic vulnerability in the friend request workflow of Chamilo’s social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX endpoint. [CVSS 7.1 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. [CVSS 8.8 HIGH]
Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning platform.
Chamilo is a learning management system. Prior to version 1.11.30, Chamilo is vulnerable to deserialization of untrusted data in /plugin/vchamilo/views/import.php via POST configuration_file; POST course_path; POST home_path parameters. [CVSS 4.9 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/admin/sub_language_ajax.inc.php via the POST new_language parameter. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/editinstance.php via the POST main_database parameter. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /plugin/vchamilo/views/manage.controller.php. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS Command Injection vulnerability in /main/cron/lang/check_parse_lang.php. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, there is an OS command Injection vulnerability in /plugin/vchamilo/views/import.php with the POST to_main_database parameter. [CVSS 7.2 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. [CVSS 8.3 HIGH]
Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database extraction vector.
Chamilo is a learning management system. Prior to version 1.11.30, there is an error-based SQL Injection via POST userFile with the /main/exercise/hotpotatoes.php script. [CVSS 7.2 HIGH]
Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.
Chamilo is a learning management system. [CVSS 8.8 HIGH]
Chamilo is a learning management system. [CVSS 7.2 HIGH]
Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.
Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists due to insufficient sanitization of CSV filenames. [CVSS 4.8 MEDIUM]
Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone to send requests to any URL on server's behalf, which results in unauthenticated blind SSRF. [CVSS 5.3 MEDIUM]
Chamilo is a learning management system. Chamillo is affected by a post-authentication phar unserialize which leads to a remote code execution (RCE) within versions 1.11.12 to 1.11.26. [CVSS 7.2 HIGH]
An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. [CVSS 5.5 MEDIUM]
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows an attacker to execute arbitrary code via the svkey parameter of the storageapi.php file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Chamilo LMS Version 1.11.26 is vulnerable to Incorrect Access Control. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A Stored Cross-Site Scripting (XSS) Vulnerability in Chamilo LMS 1.11.26 allows a remote attacker to execute arbitrary JavaScript in a web browser by including a malicious payload in the 'content'. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.26 "/main/social/home.php," allows attackers to initiate a request that posts a fake post onto the user's social wall without. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the home.php component. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available.
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the new_ticket.php component. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. Public exploit code available.
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity.
An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11.* up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.
Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a student to arbitrarily access and modify another student's personal notes. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.
Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the /feedback/comment field. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the personal notes function. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the My Progress function. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local authenticated attacker to execute arbitrary code via the homepage function. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the resource sequencing parameters. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skills wheel parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the system annnouncements parameter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the internal network and execute arbitrary system commands via a crafted Phar file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.
Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Chamilo LMS v1.11.13 lacks validation on the user modification form, allowing attackers to escalate privileges to Platform Admin. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.
A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.