Matthieu-Hackwitharts

#10351of 53,624
26.7Total CVSS
Vulnerabilities · 4
Medium
3
Critical
1
PT-2022-23846
9.8
2022-08-25
Claroline · Claroline · CVE-2022-37159
**Name of the Vulnerable Software and Affected Versions** Claroline versions 13.5.7 and prior **Description** The issue allows for remote code execution via arbitrary file upload. **Recommendations** For versions 13.5.7 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-23848
5.4
2022-08-25
Claroline · Claroline · CVE-2022-37160
**Name of the Vulnerable Software and Affected Versions** Claroline versions 13.5.7 and prior **Description** The issue allows an authenticated attacker to elevate privileges via the arbitrary creation of a privileged user. This can be achieved by combining an XSS vulnerability present in several upload forms and a javascript request to the API. Specifically, it is possible to trigger the creation of a user with administrative rights by opening an SVG file as an administrator user. **Recommendations** For Claroline versions 13.5.7 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-23849
6.1
2022-08-25
Claroline · Claroline · CVE-2022-37161
**Name of the Vulnerable Software and Affected Versions** Claroline versions prior to 13.5.8 **Description** The issue is related to Cross Site Scripting (XSS) via SVG file upload. This means an attacker could potentially inject malicious scripts into the system by uploading specially crafted SVG files. **Recommendations** For versions prior to 13.5.8, update to a version that includes the fix for this issue to prevent Cross Site Scripting (XSS) attacks via SVG file uploads. As a temporary workaround, consider restricting the upload of SVG files or implementing additional validation and sanitization for uploaded files to minimize the risk of exploitation.
PT-2022-23850
5.4
2022-08-25
Claroline · Claroline · CVE-2022-37162
**Name of the Vulnerable Software and Affected Versions** Claroline versions 13.5.7 and prior **Description** The issue allows an attacker to execute arbitrary javascript code by adding it to the `Location` field of a calendar event, potentially leading to javascript code execution. **Recommendations** For Claroline versions 13.5.7 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.