VYPR

Lms

by Chamilo

Source repositories

CVEs (151)

  • CVE-2023-4225HigNov 28, 2023
    risk 0.00cvss 8.8epss 0.02

    Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

  • CVE-2023-4224HigNov 28, 2023
    risk 0.00cvss 8.8epss 0.02

    Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

  • CVE-2023-4223HigNov 28, 2023
    risk 0.00cvss 8.8epss 0.02

    Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

  • CVE-2023-4222HigNov 28, 2023
    risk 0.00cvss 7.2epss 0.04

    Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.

  • CVE-2023-4221HigNov 28, 2023
    risk 0.00cvss 7.2epss 0.04

    Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.

  • CVE-2023-3545CriNov 28, 2023
    risk 0.00cvss 9.8epss 0.02

    Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This…

  • CVE-2023-3533CriNov 28, 2023
    risk 0.00cvss 9.8epss 0.03

    Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write.

  • CVE-2023-37067MedJul 7, 2023
    risk 0.00cvss 4.8epss 0.00

    Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

  • CVE-2023-37066MedJul 7, 2023
    risk 0.00cvss 4.8epss 0.00

    Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.

  • CVE-2023-37065MedJul 7, 2023
    risk 0.00cvss 4.8epss 0.00

    Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.

  • CVE-2023-37064MedJul 7, 2023
    risk 0.00cvss 4.8epss 0.00

    Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

  • CVE-2023-37063MedJul 7, 2023
    risk 0.00cvss 4.8epss 0.00

    Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

  • CVE-2023-37062MedJul 7, 2023
    risk 0.00cvss 4.8epss 0.00

    Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the course categories' definition.

  • CVE-2023-37061MedJul 7, 2023
    risk 0.00cvss 4.8epss 0.00

    Chamilo 1.11.x up to 1.11.20 allows users with an admin privilege account to insert XSS in the languages management section.

  • CVE-2023-34962HigJun 8, 2023
    risk 0.00cvss 8.1epss 0.01

    Incorrect access control in Chamilo v1.11.x up to v1.11.18 allows a student to arbitrarily access and modify another student's personal notes.

  • CVE-2023-34961MedJun 8, 2023
    risk 0.00cvss 6.1epss 0.00

    Chamilo v1.11.x up to v1.11.18 was discovered to contain a cross-site scripting (XSS) vulnerability via the /feedback/comment field.

  • CVE-2023-34959MedJun 8, 2023
    risk 0.00cvss 5.3epss 0.01

    An issue in Chamilo v1.11.* up to v1.11.18 allows attackers to execute a Server-Side Request Forgery (SSRF) and obtain information on the services running on the server via crafted requests in the social and links tools.

  • CVE-2023-34958MedJun 8, 2023
    risk 0.00cvss 4.3epss 0.00

    Incorrect access control in Chamilo 1.11.* up to 1.11.18 allows a student subscribed to a given course to download documents belonging to another student if they know the document's ID.

  • CVE-2021-35415MedDec 3, 2021
    risk 0.00cvss 4.8epss 0.01

    A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields.

  • CVE-2021-35414CriDec 3, 2021
    risk 0.00cvss 9.8epss 0.02

    Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.

Page 7 of 8