CVE-2022-37160

Name of the Vulnerable Software and Affected Versions Claroline versions 13.5.7 and prior

Description The issue allows an authenticated attacker to elevate privileges via the arbitrary creation of a privileged user. This can be achieved by combining an XSS vulnerability present in several upload forms and a javascript request to the API. Specifically, it is possible to trigger the creation of a user with administrative rights by opening an SVG file as an administrator user.

Recommendations For Claroline versions 13.5.7 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.