Chamilo Lms
by Chamilo
Source repositories
CVEs (145)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-27423 | 0.00 | — | 0.01 | Apr 15, 2022 | Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php. | |||
| CVE-2022-27422 | 0.00 | — | 0.01 | Apr 15, 2022 | A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL. | |||
| CVE-2021-40662 | 0.00 | — | 0.01 | Mar 21, 2022 | A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL. | |||
| CVE-2021-38745 | 0.00 | — | 0.01 | Mar 21, 2022 | Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page. | |||
| CVE-2021-35414 | 0.00 | — | 0.02 | Dec 3, 2021 | Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php. | |||
| CVE-2021-35413 | 0.00 | — | 0.03 | Dec 3, 2021 | A remote code execution (RCE) vulnerability in course_intro_pdf_import.php of Chamilo LMS v1.11.x allows authenticated attackers to execute arbitrary code via a crafted .htaccess file. | |||
| CVE-2021-43687 | 0.00 | — | 0.01 | Dec 1, 2021 | chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie. | |||
| CVE-2020-23126 | 0.00 | — | 0.01 | Nov 3, 2021 | Chamilo LMS version 1.11.10 contains an XSS vulnerability in the personal profile edition form, affecting the user him/herself and social network friends. | |||
| CVE-2021-37389 | 0.00 | — | 0.01 | Aug 10, 2021 | Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter. | |||
| CVE-2021-37390 | 0.00 | — | 0.01 | Aug 10, 2021 | A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature). | |||
| CVE-2021-32925 | 0.00 | — | 0.02 | May 13, 2021 | admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. | |||
| CVE-2020-23128 | 0.00 | — | 0.01 | May 5, 2021 | Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege. | |||
| CVE-2020-23127 | 0.00 | — | 0.01 | May 5, 2021 | Chamilo LMS 1.11.10 is affected by Cross Site Request Forgery (CSRF) via the edit_user function by targeting an admin user. | |||
| CVE-2021-26746 | 0.00 | — | 0.01 | Feb 19, 2021 | Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI. | |||
| CVE-2012-4029 | 0.00 | — | 0.01 | Feb 8, 2020 | Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action. | |||
| CVE-2013-0739 | 0.00 | — | 0.01 | Jan 30, 2020 | Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script. | |||
| CVE-2013-0738 | 0.00 | — | 0.01 | Jan 30, 2020 | Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php. | |||
| CVE-2012-4030 | 0.00 | — | 0.01 | Jan 10, 2020 | Chamilo before 1.8.8.6 does not adequately handle user supplied input by the index.php script, which could allow remote attackers to delete arbitrary files. | |||
| CVE-2019-13082 | 0.00 | — | 0.04 | Jun 30, 2019 | Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php… | |||
| CVE-2019-1000015 | 0.00 | — | 0.01 | Feb 4, 2019 | Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in main/messages/new_message.php, main/social/personal_data.php, main/inc/lib/TicketManager.php, main/ticket/ticket_details.php that can result in a message being sent to the… |
- CVE-2022-27423Apr 15, 2022risk 0.00cvss —epss 0.01
Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php.
- CVE-2022-27422Apr 15, 2022risk 0.00cvss —epss 0.01
A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL.
- CVE-2021-40662Mar 21, 2022risk 0.00cvss —epss 0.01
A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL.
- CVE-2021-38745Mar 21, 2022risk 0.00cvss —epss 0.01
Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page.
- CVE-2021-35414Dec 3, 2021risk 0.00cvss —epss 0.02
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.
- CVE-2021-35413Dec 3, 2021risk 0.00cvss —epss 0.03
A remote code execution (RCE) vulnerability in course_intro_pdf_import.php of Chamilo LMS v1.11.x allows authenticated attackers to execute arbitrary code via a crafted .htaccess file.
- CVE-2021-43687Dec 1, 2021risk 0.00cvss —epss 0.01
chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.
- CVE-2020-23126Nov 3, 2021risk 0.00cvss —epss 0.01
Chamilo LMS version 1.11.10 contains an XSS vulnerability in the personal profile edition form, affecting the user him/herself and social network friends.
- CVE-2021-37389Aug 10, 2021risk 0.00cvss —epss 0.01
Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter.
- CVE-2021-37390Aug 10, 2021risk 0.00cvss —epss 0.01
A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature).
- CVE-2021-32925May 13, 2021risk 0.00cvss —epss 0.02
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities.
- CVE-2020-23128May 5, 2021risk 0.00cvss —epss 0.01
Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege.
- CVE-2020-23127May 5, 2021risk 0.00cvss —epss 0.01
Chamilo LMS 1.11.10 is affected by Cross Site Request Forgery (CSRF) via the edit_user function by targeting an admin user.
- CVE-2021-26746Feb 19, 2021risk 0.00cvss —epss 0.01
Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI.
- CVE-2012-4029Feb 8, 2020risk 0.00cvss —epss 0.01
Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action.
- CVE-2013-0739Jan 30, 2020risk 0.00cvss —epss 0.01
Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script.
- CVE-2013-0738Jan 30, 2020risk 0.00cvss —epss 0.01
Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php.
- CVE-2012-4030Jan 10, 2020risk 0.00cvss —epss 0.01
Chamilo before 1.8.8.6 does not adequately handle user supplied input by the index.php script, which could allow remote attackers to delete arbitrary files.
- CVE-2019-13082Jun 30, 2019risk 0.00cvss —epss 0.04
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php…
- CVE-2019-1000015Feb 4, 2019risk 0.00cvss —epss 0.01
Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in main/messages/new_message.php, main/social/personal_data.php, main/inc/lib/TicketManager.php, main/ticket/ticket_details.php that can result in a message being sent to the…
Page 7 of 8