VYPR

Chamilo Lms

by Chamilo

Source repositories

CVEs (145)

  • CVE-2025-69581Jan 16, 2026
    risk 0.00cvss epss 0.00

    An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on…

  • CVE-2024-51142Nov 15, 2024
    risk 0.00cvss epss 0.00

    Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows an attacker to execute arbitrary code via the svkey parameter of the storageapi.php file.

  • CVE-2024-30619Nov 4, 2024
    risk 0.00cvss epss 0.00

    Chamilo LMS Version 1.11.26 is vulnerable to Incorrect Access Control. A non-authenticated attacker can request the number of messages and the number of online users via "/main/inc/ajax/message.ajax.php?a=get_count_message" AND "/main/inc/ajax/online.ajax.php?a=get_users_online."

  • CVE-2024-30617Nov 4, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.26 "/main/social/home.php," allows attackers to initiate a request that posts a fake post onto the user's social wall without their consent or knowledge.

  • CVE-2024-30618Nov 4, 2024
    risk 0.00cvss epss 0.00

    A Stored Cross-Site Scripting (XSS) Vulnerability in Chamilo LMS 1.11.26 allows a remote attacker to execute arbitrary JavaScript in a web browser by including a malicious payload in the 'content' parameter of 'group_topics.php'.

  • CVE-2024-27524Nov 1, 2024
    risk 0.00cvss epss 0.01

    Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the new_ticket.php component.

  • CVE-2023-4225Nov 28, 2023
    risk 0.00cvss epss 0.02

    Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

  • CVE-2023-4226Nov 28, 2023
    risk 0.00cvss epss 0.02

    Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

  • CVE-2023-4224Nov 28, 2023
    risk 0.00cvss epss 0.02

    Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

  • CVE-2023-4223Nov 28, 2023
    risk 0.00cvss epss 0.02

    Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

  • CVE-2023-4222Nov 28, 2023
    risk 0.00cvss epss 0.04

    Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.

  • CVE-2023-4221Nov 28, 2023
    risk 0.00cvss epss 0.04

    Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.

  • CVE-2023-3545Nov 28, 2023
    risk 0.00cvss epss 0.02

    Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This…

  • CVE-2023-3533Nov 28, 2023
    risk 0.00cvss epss 0.03

    Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write.

  • CVE-2023-39582Sep 1, 2023
    risk 0.00cvss epss 0.01

    SQL Injection vulnerability in Chamilo LMS v.1.11 thru v.1.11.20 allows a remote privileged attacker to obtain sensitive information via the import sessions functions.

  • CVE-2023-39061Aug 21, 2023
    risk 0.00cvss epss 0.00

    Cross Site Request Forgery (CSRF) vulnerability in Chamilo v.1.11 thru v.1.11.20 allows a remote authenticated privileged attacker to execute arbitrary code.

  • CVE-2023-37064Jul 7, 2023
    risk 0.00cvss epss 0.00

    Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

  • CVE-2023-37067Jul 7, 2023
    risk 0.00cvss epss 0.00

    Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

  • CVE-2023-37062Jul 7, 2023
    risk 0.00cvss epss 0.00

    Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the course categories' definition.

  • CVE-2023-37063Jul 7, 2023
    risk 0.00cvss epss 0.00

    Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

Page 5 of 8