Elliszat

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.36 **Description** Chamilo LMS is a learning management system that has a SQL Injection issue in the statistics AJAX endpoint. The `date start` and `date end` parameters from the `$ REQUEST` array are directly embedded into a raw SQL string without proper sanitization. The `Database::escape string()` function is called, but its output is neutralized, bypassing the escaping mechanism and allowing an authenticated attacker to inject arbitrary SQL statements into the database query. This enables blind time-based and conditional data extraction. The vulnerable API endpoint is '/statistics'. **Recommendations** Versions prior to 1.11.36 should be updated to version 1.11.36 or later.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions 1.11.34 and prior **Description** Chamilo LMS is a learning management system that has a Reflected Cross-Site Scripting (XSS) issue in the session category listing page. The `keyword` parameter from the `$ REQUEST` array is directly included in an HTML `href` attribute without proper encoding or sanitization. This allows an attacker to inject arbitrary HTML or JavaScript code by breaking out of the attribute context using "> followed by a malicious payload. The issue is triggered when the pagination controls are rendered, which happens when the number of session categories exceeds 20. The vulnerable parameter is `keyword`. **Recommendations** Versions prior to 1.11.36 are affected. Update to version 1.11.36 or later.