Vulnerabilities > Chamilo > Chamilo LMS
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-10 | CVE-2021-37390 | Cross-site Scripting vulnerability in Chamilo LMS A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature). | 6.1 |
| 2021-08-10 | CVE-2021-37391 | Cross-site Scripting vulnerability in Chamilo LMS A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature. | 5.4 |
| 2021-05-06 | CVE-2020-23127 | Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.10 Chamilo LMS 1.11.10 is affected by Cross Site Request Forgery (CSRF) via the edit_user function by targeting an admin user. | 8.8 |
| 2021-05-06 | CVE-2020-23128 | Improper Privilege Management vulnerability in Chamilo LMS 1.11.10 Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege. | 4.9 |
| 2020-01-10 | CVE-2012-4030 | Improper Input Validation vulnerability in Chamilo LMS Chamilo before 1.8.8.6 does not adequately handle user supplied input by the index.php script, which could allow remote attackers to delete arbitrary files. | 7.5 |
| 2020-01-04 | CVE-2015-9540 | Open Redirect vulnerability in Chamilo LMS Chamilo LMS through 1.9.10.2 allows a link_goto.php?link_url= open redirect, a related issue to CVE-2015-5503. | 6.1 |
| 2019-06-30 | CVE-2019-13082 | Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo LMS 1.11.8 Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. | 9.8 |
| 2019-02-04 | CVE-2019-1000017 | Missing Authorization vulnerability in Chamilo LMS Chamilo Chamilo-lms version 1.11.8 and earlier contains an Incorrect Access Control vulnerability in Tickets component that can result in an authenticated user can read all tickets available on the platform, due to lack of access controls. | 6.5 |
| 2019-02-04 | CVE-2019-1000015 | Cross-site Scripting vulnerability in Chamilo LMS Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in main/messages/new_message.php, main/social/personal_data.php, main/inc/lib/TicketManager.php, main/ticket/ticket_details.php that can result in a message being sent to the Administrator with the XSS to steal cookies. | 6.1 |
| 2018-12-21 | CVE-2018-20329 | SQL Injection vulnerability in Chamilo LMS 1.11.8 Chamilo LMS version 1.11.8 contains a main/inc/lib/CoursesAndSessionsCatalog.class.php SQL injection, allowing users with access to the sessions catalogue (which may optionally be made public) to extract and/or modify database information. | 8.1 |