Vulnerabilities > Chamilo > Chamilo
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-07 | CVE-2023-37066 | Cross-site Scripting vulnerability in Chamilo Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel. | 4.8 |
| 2023-07-07 | CVE-2023-37067 | Cross-site Scripting vulnerability in Chamilo Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section. | 4.8 |
| 2022-10-17 | CVE-2022-42029 | Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo 1.11.16 Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory. | 8.8 |
| 2022-09-29 | CVE-2022-40407 | Unrestricted Upload of File with Dangerous Type vulnerability in Chamilo 1.11 A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file. | 8.8 |
| 2022-04-15 | CVE-2022-27425 | Cross-site Scripting vulnerability in Chamilo Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php. | 4.3 |
| 2022-03-21 | CVE-2021-38745 | Code Injection vulnerability in Chamilo 1.11.14 Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. | 4.6 |
| 2022-03-21 | CVE-2021-40662 | Cross-Site Request Forgery (CSRF) vulnerability in Chamilo 1.11.14 A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL. | 6.8 |
| 2021-12-01 | CVE-2021-43687 | Cross-site Scripting vulnerability in Chamilo 1.11.14 chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie. | 4.3 |
| 2021-08-10 | CVE-2021-37389 | Cross-site Scripting vulnerability in Chamilo 1.11.14 Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter. | 4.3 |
| 2021-06-28 | CVE-2021-34187 | SQL Injection vulnerability in Chamilo main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter. | 7.5 |