Robbe De Keyzer

**Name of the Vulnerable Software and Affected Versions** Dokeos versions 1.6 and earlier Claroline (affected versions not specified) **Description** The issue allows remote attackers to perform various malicious actions, including deleting arbitrary files or directories via the `delete` parameter to "claroline/scorm/scormdocument.php", moving arbitrary files via the `move to` and `move file` parameters to "claroline/document/document.php", or determining the existence of arbitrary files via the `file` parameter to "claroline/scorm/showinframes.php" or "claroline/scorm/contents.php". **Recommendations** For Dokeos versions 1.6 and earlier, consider disabling access to the affected API endpoints until a patch is available. Restrict access to the `delete` parameter in "claroline/scorm/scormdocument.php" to prevent arbitrary file deletion. Avoid using the `move to` and `move file` parameters in "claroline/document/document.php" to prevent arbitrary file movement. Limit access to the `file` parameter in "claroline/scorm/showinframes.php" and "claroline/scorm/contents.php" to prevent determining the existence of arbitrary files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.