Filtered by vendor Chamilo
Subscriptions
Filtered by product Chamilo
Subscriptions
Total
29 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1106 | 1 Chamilo | 2 Chamilo, Chamilo Lms | 2026-01-20 | 5.4 Medium |
| A security flaw has been discovered in Chamilo LMS up to 2.0.0 Beta 1. This issue affects the function deleteLegal of the file src/CoreBundle/Controller/SocialController.php of the component Legal Consent Handler. Performing a manipulation of the argument userId results in improper authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-69581 | 1 Chamilo | 2 Chamilo, Chamilo Lms | 2026-01-20 | 5.5 Medium |
| An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks. | ||||
| CVE-2023-4225 | 1 Chamilo | 2 Chamilo, Chamilo Lms | 2025-06-05 | 8.8 High |
| Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files. | ||||
| CVE-2023-3368 | 1 Chamilo | 1 Chamilo | 2025-06-03 | 9.8 Critical |
| Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960. | ||||
| CVE-2022-40407 | 1 Chamilo | 1 Chamilo | 2025-05-20 | 8.8 High |
| A zip slip vulnerability in the file upload function of Chamilo v1.11 allows attackers to execute arbitrary code via a crafted Zip file. | ||||
| CVE-2022-42029 | 1 Chamilo | 1 Chamilo | 2025-05-14 | 8.8 High |
| Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated users with access to 'big file uploads' to copy/move files from anywhere in the file system into the web directory. | ||||
| CVE-2023-3545 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 9.8 Critical |
| Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution. | ||||
| CVE-2023-3533 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 9.8 Critical |
| Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write. | ||||
| CVE-2023-39061 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 3.5 Low |
| Cross Site Request Forgery (CSRF) vulnerability in Chamilo v.1.11 thru v.1.11.20 allows a remote authenticated privileged attacker to execute arbitrary code. | ||||
| CVE-2023-37067 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 4.8 Medium |
| Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section. | ||||
| CVE-2023-37066 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 4.8 Medium |
| Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel. | ||||
| CVE-2023-37065 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 4.8 Medium |
| Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section. | ||||
| CVE-2023-37064 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 4.8 Medium |
| Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section. | ||||
| CVE-2023-37063 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 4.8 Medium |
| Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section. | ||||
| CVE-2023-37062 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 4.8 Medium |
| Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the course categories' definition. | ||||
| CVE-2023-37061 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 4.8 Medium |
| Chamilo 1.11.x up to 1.11.20 allows users with an admin privilege account to insert XSS in the languages management section. | ||||
| CVE-2023-34960 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 9.8 Critical |
| A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name. | ||||
| CVE-2022-27425 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 6.1 Medium |
| Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php. | ||||
| CVE-2021-43687 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 6.1 Medium |
| chamilo-lms v1.11.14 is affected by a Cross Site Scripting (XSS) vulnerability in /plugin/jcapture/applet.php if an attacker passes a message hex2bin in the cookie. | ||||
| CVE-2021-40662 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 8.8 High |
| A Cross-Site Request Forgery (CSRF) in Chamilo LMS 1.11.14 allows attackers to execute arbitrary commands on victim hosts via user interaction with a crafted URL. | ||||