andrejspuler/writeups

Releases0

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2021-35413 ↗	Dec 3, 2021Friday, 3 December 2021, 22:15	8.8 HIGH	6 MEDIUM
A remote code execution (RCE) vulnerability in course_intro_pdf_import.php of Chamilo LMS v1.11.x allows authenticated attackers to execute arbitrary code via a crafted .htaccess file.
CVE-2021-35414 ↗	Dec 3, 2021Friday, 3 December 2021, 22:15	9.8 CRITICAL	7.5 HIGH
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.
CVE-2021-35415 ↗	Dec 3, 2021Friday, 3 December 2021, 22:15	4.8 MEDIUM	3.5 LOW
A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields.
CVE-2021-32925 ↗	May 13, 2021Thursday, 13 May 2021, 18:15	6.5 MEDIUM	5.5 MEDIUM
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities.