Vulnerabilities > Chamilo > Chamilo LMS > 1.9.10
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-28 | CVE-2023-4220 | Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo LMS Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell. | 6.1 |
| 2023-11-28 | CVE-2023-4221 | OS Command Injection vulnerability in Chamilo LMS Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters. | 8.8 |
| 2023-11-28 | CVE-2023-4222 | OS Command Injection vulnerability in Chamilo LMS Command injection in `main/lp/openoffice_text_document.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters. | 8.8 |
| 2023-11-28 | CVE-2023-4223 | Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo LMS Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | 8.8 |
| 2023-11-28 | CVE-2023-4224 | Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo LMS Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | 8.8 |
| 2023-11-28 | CVE-2023-4225 | Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo LMS Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | 8.8 |
| 2023-11-28 | CVE-2023-4226 | Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo LMS Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | 8.8 |
| 2021-08-10 | CVE-2021-37390 | Cross-site Scripting vulnerability in Chamilo LMS A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature). | 4.3 |
| 2020-01-04 | CVE-2015-9540 | Open Redirect vulnerability in Chamilo LMS Chamilo LMS through 1.9.10.2 allows a link_goto.php?link_url= open redirect, a related issue to CVE-2015-5503. | 5.8 |
| 2019-02-04 | CVE-2019-1000017 | Missing Authorization vulnerability in Chamilo LMS Chamilo Chamilo-lms version 1.11.8 and earlier contains an Incorrect Access Control vulnerability in Tickets component that can result in an authenticated user can read all tickets available on the platform, due to lack of access controls. | 4.0 |