CVE-2018-25158

Name of the Vulnerable Software and Affected Versions Chamilo LMS version 1.11.8

Description Chamilo LMS version 1.11.8 has an issue that allows authenticated users to upload and execute PHP files. This is possible through the elfinder filemanager module. An attacker can upload files with image headers in the social myfiles section, rename them to PHP extensions, and then execute arbitrary code by accessing these uploaded files. The vulnerable module is elfinder filemanager. The affected area is the 'social myfiles' section.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the elfinder filemanager module to minimize the risk of exploitation.