Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Chamilo Subscribe
Filtered by product Chamilo
Total 14 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-42029 1 Chamilo 1 Chamilo 2022-10-18 N/A 8.8 HIGH
Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory.
CVE-2022-40407 1 Chamilo 1 Chamilo 2022-10-04 N/A 8.8 HIGH
A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file.
CVE-2021-32925 1 Chamilo 1 Chamilo 2022-05-16 5.5 MEDIUM 6.5 MEDIUM
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities.
CVE-2022-27425 1 Chamilo 1 Chamilo 2022-04-25 4.3 MEDIUM 6.1 MEDIUM
Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php.
CVE-2021-40662 1 Chamilo 1 Chamilo 2022-03-29 6.8 MEDIUM 8.8 HIGH
A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL.
CVE-2021-38745 1 Chamilo 1 Chamilo 2022-03-29 4.6 MEDIUM 6.8 MEDIUM
Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page.
CVE-2021-43687 1 Chamilo 1 Chamilo 2021-12-15 4.3 MEDIUM 6.1 MEDIUM
chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie.
CVE-2021-37389 1 Chamilo 1 Chamilo 2021-08-17 4.3 MEDIUM 6.1 MEDIUM
Chamilo 1.11.14 allows stored XSS via main/install/index.php and main/install/ajax.php through the port parameter.
CVE-2021-34187 1 Chamilo 1 Chamilo 2021-07-01 7.5 HIGH 9.8 CRITICAL
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
CVE-2021-31933 1 Chamilo 1 Chamilo 2021-05-17 6.5 MEDIUM 7.2 HIGH
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.
CVE-2021-26746 1 Chamilo 1 Chamilo 2021-02-25 4.3 MEDIUM 6.1 MEDIUM
Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI.
CVE-2012-4029 1 Chamilo 1 Chamilo 2020-02-12 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in main/dropbox/index.php in Chamilo LMS before 1.8.8.6 allows remote attackers to inject arbitrary web script or HTML via the category_name parameter in an addsentcategory action.
CVE-2013-0738 1 Chamilo 1 Chamilo 2020-01-31 4.3 MEDIUM 6.1 MEDIUM
Chamilo 1.9.4 has Multiple XSS and HTML Injection Vulnerabilities: blog.php and announcements.php.
CVE-2013-0739 1 Chamilo 1 Chamilo 2020-01-31 4.3 MEDIUM 6.1 MEDIUM
Chamilo 1.9.4 has XSS due to improper validation of user-supplied input by the chat.php script.