Aastha2602

**Name of the Vulnerable Software and Affected Versions** Strapi versions prior to 5.33.3 **Description** Changing or resetting a user's password does not invalidate existing refresh-token sessions by default. In the users-permissions and admin authentication controllers, the invalidation process depends on a caller-supplied `deviceId`. If a password change or reset request is made without a `deviceId`, no refresh tokens are revoked, which keeps all previous sessions active. This allows an attacker with a previously obtained refresh token to continue generating new access tokens even after a password reset, enabling unauthorized access for the duration of the refresh token's lifetime, which is 30 days by default. **Recommendations** Update to version 5.33.3 or later.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 2.0.0-RC.3 **Description** A Stored Cross-Site Scripting (XSS) issue exists in the social post attachment upload functionality. An authenticated user can upload a malicious HTML file containing JavaScript via the '/api/social post attachments' endpoint. The application serves the uploaded file through the `contentUrl` without sanitization, content type restrictions, or a Content-Disposition: attachment header, allowing the JavaScript to execute in the browser within the application origin. This can lead to session hijacking, account takeover, privilege escalation if an administrator views the link, and arbitrary actions performed on behalf of the victim. **Recommendations** Update to version 2.0.0-RC.3.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 2.0.0-RC.3 **Description** An Insecure Direct Object Reference (IDOR) exists in the '/api/course rel users' endpoint. An authenticated attacker can modify the `user` parameter in the request body to enroll any arbitrary user into any course. This occurs because the backend trusts user-supplied input for the `user` field without server-side verification to ensure the requester has the necessary permissions to act on behalf of other users. This allows unauthorized manipulation of user-course relationships, which can lead to bypassing enrollment controls and granting unintended access to course materials. **Recommendations** Update to version 2.0.0-RC.3.