Vulnerabilities > Chamilo > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-05-13 | CVE-2021-32925 | XXE vulnerability in Chamilo admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities. | 6.5 |
| 2021-05-06 | CVE-2020-23128 | Improper Privilege Management vulnerability in Chamilo LMS 1.11.10 Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege. | 4.9 |
| 2021-02-19 | CVE-2021-26746 | Cross-site Scripting vulnerability in Chamilo 1.11.14 Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI. | 6.1 |
| 2020-02-08 | CVE-2012-4029 | Cross-site Scripting vulnerability in Chamilo Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action. | 6.1 |
| 2020-01-30 | CVE-2013-0739 | Cross-site Scripting vulnerability in Chamilo 1.9.4 Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script. | 6.1 |
| 2020-01-30 | CVE-2013-0738 | Cross-site Scripting vulnerability in Chamilo 1.9.4 Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php. | 6.1 |
| 2020-01-04 | CVE-2015-9540 | Open Redirect vulnerability in Chamilo LMS Chamilo LMS through 1.9.10.2 allows a link_goto.php?link_url= open redirect, a related issue to CVE-2015-5503. | 6.1 |
| 2019-02-04 | CVE-2019-1000017 | Missing Authorization vulnerability in Chamilo LMS Chamilo Chamilo-lms version 1.11.8 and earlier contains an Incorrect Access Control vulnerability in Tickets component that can result in an authenticated user can read all tickets available on the platform, due to lack of access controls. | 6.5 |
| 2019-02-04 | CVE-2019-1000015 | Cross-site Scripting vulnerability in Chamilo LMS Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in main/messages/new_message.php, main/social/personal_data.php, main/inc/lib/TicketManager.php, main/ticket/ticket_details.php that can result in a message being sent to the Administrator with the XSS to steal cookies. | 6.1 |
| 2018-12-21 | CVE-2018-20328 | Cross-site Scripting vulnerability in Chamilo LMS 1.11.8 Chamilo LMS version 1.11.8 contains XSS in main/social/group_view.php in the social groups tool, allowing authenticated users to affect other users, under specific conditions of permissions granted by administrators. | 5.4 |