Chamilo

Chamilo Lms

80 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2024-30619

  • EPSS 0.16%
  • Veröffentlicht 04.11.2024 19:15:06
  • Zuletzt bearbeitet 18.04.2025 13:52:46

Chamilo LMS Version 1.11.26 is vulnerable to Incorrect Access Control. A non-authenticated attacker can request the number of messages and the number of online users via "/main/inc/ajax/message.ajax.php?a=get_count_message" AND "/main/inc/ajax/online...

6.1

CVE-2024-30618

Exploit
  • EPSS 0.08%
  • Veröffentlicht 04.11.2024 19:15:06
  • Zuletzt bearbeitet 18.04.2025 13:54:12

A Stored Cross-Site Scripting (XSS) Vulnerability in Chamilo LMS 1.11.26 allows a remote attacker to execute arbitrary JavaScript in a web browser by including a malicious payload in the 'content' parameter of 'group_topics.php'.

5.4

CVE-2024-30617

Exploit
  • EPSS 0.09%
  • Veröffentlicht 04.11.2024 19:15:06
  • Zuletzt bearbeitet 18.04.2025 13:55:07

A Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.26 "/main/social/home.php," allows attackers to initiate a request that posts a fake post onto the user's social wall without their consent or knowledge.

8.8

CVE-2024-30616

Exploit
  • EPSS 0.11%
  • Veröffentlicht 04.11.2024 19:15:06
  • Zuletzt bearbeitet 18.04.2025 13:39:57

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Non-admin users can manipulate sensitive profiles information, posing a significant risk to data integrity.

4.6

CVE-2024-27525

Exploit
  • EPSS 0.71%
  • Veröffentlicht 01.11.2024 15:15:18
  • Zuletzt bearbeitet 18.04.2025 13:21:04

Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the home.php component.

7.1

CVE-2024-27524

Exploit
  • EPSS 1.12%
  • Veröffentlicht 01.11.2024 15:15:17
  • Zuletzt bearbeitet 17.04.2025 19:06:26

Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the new_ticket.php component.

8.8

CVE-2023-4226

Exploit
  • EPSS 23.95%
  • Veröffentlicht 28.11.2023 08:15:10
  • Zuletzt bearbeitet 21.11.2024 08:34:39

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

8.8

CVE-2023-4225

Exploit
  • EPSS 2.34%
  • Veröffentlicht 28.11.2023 08:15:09
  • Zuletzt bearbeitet 21.11.2024 08:34:39

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

8.8

CVE-2023-4224

Exploit
  • EPSS 2.56%
  • Veröffentlicht 28.11.2023 08:15:09
  • Zuletzt bearbeitet 21.11.2024 08:34:39

Unrestricted file upload in `/main/inc/ajax/dropbox.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

8.8

CVE-2023-4223

Exploit
  • EPSS 2.56%
  • Veröffentlicht 28.11.2023 08:15:08
  • Zuletzt bearbeitet 21.11.2024 08:34:39

Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.