Vulnerabilities (CVE)

  1. OpenCVE
  2. Vulnerabilities (CVE)
Filtered by vendor Chamilo Subscribe
Total 70 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-38745 1 Chamilo 1 Chamilo 2023-12-10 4.6 MEDIUM 6.8 MEDIUM
Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page.
CVE-2022-27422 1 Chamilo 1 Chamilo Lms 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL.
CVE-2022-27423 1 Chamilo 1 Chamilo Lms 2023-12-10 7.5 HIGH 9.8 CRITICAL
Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php.
CVE-2021-35415 1 Chamilo 1 Chamilo Lms 2023-12-10 3.5 LOW 4.8 MEDIUM
A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields.
CVE-2021-43687 1 Chamilo 1 Chamilo 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.
CVE-2021-35413 1 Chamilo 1 Chamilo Lms 2023-12-10 6.0 MEDIUM 8.8 HIGH
A remote code execution (RCE) vulnerability in course_intro_pdf_import.php of Chamilo LMS v1.11.x allows authenticated attackers to execute arbitrary code via a crafted .htaccess file.
CVE-2020-23126 1 Chamilo 1 Chamilo Lms 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
Chamilo LMS version 1.11.10 contains an XSS vulnerability in the personal profile edition form, affecting the user him/herself and social network friends.
CVE-2021-35414 1 Chamilo 1 Chamilo Lms 2023-12-10 7.5 HIGH 9.8 CRITICAL
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.
CVE-2021-32925 1 Chamilo 1 Chamilo 2023-12-10 5.5 MEDIUM 6.5 MEDIUM
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities.
CVE-2021-34187 1 Chamilo 1 Chamilo 2023-12-10 7.5 HIGH 9.8 CRITICAL
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
CVE-2020-23128 1 Chamilo 1 Chamilo Lms 2023-12-10 4.0 MEDIUM 4.9 MEDIUM
Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege.
CVE-2021-37391 1 Chamilo 1 Chamilo Lms 2023-12-10 3.5 LOW 5.4 MEDIUM
A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature.
CVE-2021-37389 1 Chamilo 1 Chamilo 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter.
CVE-2021-37390 1 Chamilo 1 Chamilo Lms 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in main/social/search.php=q URI (social network search feature).
CVE-2020-23127 1 Chamilo 1 Chamilo Lms 2023-12-10 6.8 MEDIUM 8.8 HIGH
Chamilo LMS 1.11.10 is affected by Cross Site Request Forgery (CSRF) via the edit_user function by targeting an admin user.
CVE-2021-31933 1 Chamilo 1 Chamilo 2023-12-10 6.5 MEDIUM 7.2 HIGH
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.
CVE-2021-26746 1 Chamilo 1 Chamilo 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI.
CVE-2015-9540 1 Chamilo 1 Chamilo Lms 2023-12-10 5.8 MEDIUM 6.1 MEDIUM
Chamilo LMS through 1.9.10.2 allows a link_goto.php?link_url= open redirect, a related issue to CVE-2015-5503.
CVE-2013-0738 1 Chamilo 1 Chamilo 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php.
CVE-2012-4029 1 Chamilo 1 Chamilo 2023-12-10 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action.