Nguyen Dang Toan

**Name of the Vulnerable Software and Affected Versions** ManageEngine ADSelfService Plus versions 6522 and below **Description** ManageEngine ADSelfService Plus versions 6522 and below are susceptible to an authenticated SQL Injection issue in the search report option. An attacker with valid credentials can inject malicious SQL code into the search input, potentially compromising the underlying database. The vulnerability exists within the `search report` feature. **Recommendations** Versions prior to 6523 are affected.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS version 1.11.10 **Description** The issue is related to Cross Site Request Forgery (CSRF) via the `edit user` function, which can be exploited by targeting an admin user. This allows for unauthorized actions to be performed on behalf of the admin. **Recommendations** For Chamilo LMS version 1.11.10, consider disabling the `edit user` function until a patch is available to prevent CSRF attacks. Restrict access to admin user accounts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS version 1.11.10 **Description** The issue is related to improper privilege management. A user with Sessions administrator privilege can create a new user and then use the edit user function to change this new user to administrator privilege. **Recommendations** For Chamilo LMS version 1.11.10, consider restricting the use of the edit user function to prevent users from escalating their privileges until a proper fix is available. As a temporary workaround, monitor user account changes closely to detect and mitigate any potential misuse of privileges. At the moment, there is no information about a newer version that contains a fix for this vulnerability.