CVE-2019-1000015

Name of the Vulnerable Software and Affected Versions: Chamilo-lms versions 1.11.8 and earlier

Description: The issue allows an attacker to send a message to the Administrator with a Cross Site Scripting (XSS) payload, potentially stealing cookies. This can be achieved by creating a ticket with a XSS payload in the subject field, for example using <svg/onload=alert(1)> as the payload. This makes it possible to obtain the cookies of all users that have permission to view the tickets.

Recommendations: For versions 1.11.8 and earlier, update to a version after commit 33e2692a37b5b6340cf5bec1a84e541460983c03 to resolve the issue. As a temporary workaround, consider restricting access to the main/messages/new message.php, main/social/personal data.php, main/inc/lib/TicketManager.php, and main/ticket/ticket details.php files to minimize the risk of exploitation. Avoid using the subject field in the ticket creation process until the issue is resolved.