CVE-2021-37391

Name of the Vulnerable Software and Affected Versions Chamilo LMS version 1.11.14

Description The issue allows a user without privileges to send an invitation message to another user, such as the administrator, through main/social/search.php and main/inc/lib/social.lib.php, potentially stealing cookies or executing arbitrary code on the administration side via a stored XSS vulnerability in the social network's send invitation feature. This can be exploited by a remote attacker to execute arbitrary code.

Recommendations For Chamilo LMS version 1.11.14, as a temporary workaround, consider disabling the main/social/search.php and main/inc/lib/social.lib.php functions until a patch is available. Restrict access to the social network's send invitation feature to minimize the risk of exploitation. Avoid using the send invitation feature in the social network until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.