Angelfqc

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS version 1.11.26 **Description** A Stored Cross-Site Scripting (XSS) issue allows a remote attacker to execute arbitrary JavaScript in a web browser. This is achieved by including a malicious payload in the `content` parameter of the "group topics.php" endpoint. **Recommendations** For Chamilo LMS version 1.11.26, consider disabling the `group topics.php` endpoint or restricting access to it until a patch is available. Avoid using the `content` parameter in the "group topics.php" endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS version 1.11.26 **Description** A Cross Site Scripting issue allows a remote attacker to escalate privileges via a crafted script to the `filename` parameter of the "new ticket.php" component. This could potentially lead to data theft or malware spread. **Recommendations** For Chamilo LMS version 1.11.26, patch immediately to prevent potential data theft or malware spread. As a temporary workaround, consider restricting access to the "new ticket.php" component or avoiding the use of the `filename` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS version 1.11.26 **Description** A Cross Site Scripting issue allows a remote attacker to escalate privileges via a crafted script to the `filename` parameter of the `home.php` component. **Recommendations** For Chamilo LMS version 1.11.26, avoid using the `filename` parameter in the `home.php` component until the issue is resolved. As a temporary workaround, consider restricting access to the `home.php` component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chamilo versions 1.11.x up to 1.11.20 **Description** The issue allows users with admin privilege accounts to insert XSS in the skills wheel. This can be exploited by users with administrative privileges. **Recommendations** For Chamilo versions 1.11.x up to 1.11.20, consider restricting access to admin accounts to minimize the risk of exploitation until a patch is available. As a temporary workaround, monitor the skills wheel for any suspicious activity. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chamilo versions 1.11.* up to 1.11.18 **Description** The issue allows attackers to execute arbitrary code via uploading a crafted SVG file, exploiting an arbitrary file upload vulnerability in the /fileUpload.lib.php component. **Recommendations** For Chamilo versions 1.11.* up to 1.11.18, consider restricting access to the /fileUpload.lib.php component until a patch is available. As a temporary workaround, avoid using the file upload functionality in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chamilo versions 1.11.x up to 1.11.18 **Description** A cross-site scripting (XSS) issue was found in the /feedback/comment field, allowing potential exploitation. **Recommendations** For versions 1.11.x up to 1.11.18, update to a version later than 1.11.18 to resolve the issue.