Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Chamilo
(Chamilo)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 26 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-11-28 | CVE-2023-3533 | Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write. | Chamilo | 9.8 | ||
| 2023-11-28 | CVE-2023-3368 | Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960. | Chamilo | 9.8 | ||
| 2023-11-28 | CVE-2023-3545 | Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution. | Chamilo | 9.8 | ||
| 2023-08-21 | CVE-2023-39061 | Cross Site Request Forgery (CSRF) vulnerability in Chamilo v.1.11 thru v.1.11.20 allows a remote authenticated privileged attacker to execute arbitrary code. | Chamilo | 3.5 | ||
| 2023-08-01 | CVE-2023-34960 | A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name. | Chamilo | 9.8 | ||
| 2023-07-07 | CVE-2023-37064 | Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section. | Chamilo | 4.8 | ||
| 2023-07-07 | CVE-2023-37065 | Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section. | Chamilo | 4.8 | ||
| 2023-07-07 | CVE-2023-37066 | Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel. | Chamilo | 4.8 | ||
| 2023-07-07 | CVE-2023-37067 | Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section. | Chamilo | 4.8 | ||
| 2023-07-07 | CVE-2023-37061 | Chamilo 1.11.x up to 1.11.20 allows users with an admin privilege account to insert XSS in the languages management section. | Chamilo | 4.8 |