VYPR

Lms

by Chamilo

Source repositories

CVEs (151)

  • CVE-2026-33702HigApr 10, 2026
    risk 0.39cvss 7.1epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly…

  • CVE-2026-32930HigApr 10, 2026
    risk 0.39cvss 7.1epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations…

  • CVE-2026-32894HigApr 10, 2026
    risk 0.39cvss 7.1epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by…

  • CVE-2026-34370MedApr 14, 2026
    risk 0.35cvss 6.5epss 0.00

    Chamilo LMS is an open-source learning management system. In versions prior to 2.0.0-RC.3, the notebook module contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated student to read the private course notes of any other user on the…

  • CVE-2026-33736MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user (including ROLE_STUDENT) can enumerate all platform users and access personal information (email, phone, roles) via GET /api/users, including administrator accounts. This vulnerability is…

  • CVE-2026-33708MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no…

  • CVE-2026-33703MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the /social-network/personal-data/{userId} endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by…

  • CVE-2026-33141MedApr 10, 2026
    risk 0.35cvss 6.5epss 0.00

    Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress,…

  • CVE-2026-1106MedJan 18, 2026
    risk 0.35cvss 5.4epss 0.00

    A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in…

  • CVE-2025-29529MedApr 24, 2025
    risk 0.35cvss 6.5epss 0.00

    ITC Systems Multiplan/Matrix OneCard platform v3.7.4.1002 was discovered to contain a SQL injection vulnerability via the component Forgotpassword.aspx.

  • CVE-2024-51142MedNov 15, 2024
    risk 0.35cvss 5.4epss 0.00

    Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows an attacker to execute arbitrary code via the svkey parameter of the storageapi.php file.

  • CVE-2023-31807MedMay 9, 2023
    risk 0.35cvss 5.4epss 0.00

    Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the personal notes function.

  • CVE-2023-31806MedMay 9, 2023
    risk 0.35cvss 5.4epss 0.00

    Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via a crafted payload to the My Progress function.

  • CVE-2023-31804MedMay 9, 2023
    risk 0.35cvss 5.4epss 0.00

    Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the course category parameters.

  • CVE-2023-31802MedMay 9, 2023
    risk 0.35cvss 5.4epss 0.00

    Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the skype and linedin_url parameters.

  • CVE-2023-31800MedMay 9, 2023
    risk 0.35cvss 5.4epss 0.00

    Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the forum title parameter.

  • CVE-2023-39582MedSep 1, 2023
    risk 0.32cvss 4.9epss 0.01

    SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.

  • CVE-2020-23128MedMay 6, 2021
    risk 0.32cvss 4.9epss 0.01

    Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege.

  • CVE-2023-31805MedMay 9, 2023
    risk 0.31cvss 4.8epss 0.00

    Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local authenticated attacker to execute arbitrary code via the homepage function.

  • CVE-2023-31803MedMay 9, 2023
    risk 0.31cvss 4.8epss 0.00

    Cross Site Scripting vulnerability found in Chamilo Lms v.1.11.18 allows a local attacker to execute arbitrary code via the resource sequencing parameters.

Page 3 of 8