Chamilo Learning Management System: Malicious Script Injection via URL

Summary

A security issue exists in older versions of Chamilo. If an attacker crafts a specific URL, they can inject malicious code into the system. Update to version 1.11.30 or later to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
chamilo	chamilo_lms	<= 1.11.30	–

Original title

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. The keyword_inactive parameter ...

Original description

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. The keyword_inactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This issue has been patched in version 1.11.30.

nvd CVSS3.1 6.1

nvd CVSS4.0 5.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://github.com/chamilo/chamilo-lms/commit/349062d31533d464feea78d41996bc0857... Patch
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30 Product Release Notes
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7p5f-34rx-49h8 Vendor Advisory