Angel Fernando Quiroz Campos

63 exploits Active since Jun 2023
CVE-2023-37063 WRITEUP MEDIUM WRITEUP
Chamilo < 1.11.20 - XSS
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.
CVSS 4.8
CVE-2023-37064 WRITEUP MEDIUM WRITEUP
Chamilo < 1.11.20 - XSS
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.
CVSS 4.8
CVE-2023-37065 WRITEUP MEDIUM WRITEUP
Chamilo < 1.11.20 - XSS
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.
CVSS 4.8
CVE-2023-37066 WRITEUP MEDIUM WRITEUP
Chamilo < 1.11.20 - XSS
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.
CVSS 4.8
CVE-2023-37067 WRITEUP MEDIUM WRITEUP
Chamilo < 1.11.20 - XSS
Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.
CVSS 4.8
CVE-2023-4223 WRITEUP HIGH WRITEUP
Chamilo LMS <= 1.11.24 - RCE
Unrestricted file upload in `/main/inc/ajax/document.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
CVSS 8.8
CVE-2023-4225 WRITEUP HIGH WRITEUP
Chamilo LMS <= 1.11.24 - RCE
Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.
CVSS 8.8
CVE-2024-27524 WRITEUP HIGH WRITEUP
Chamilo LMS <1.11.26 - XSS
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the new_ticket.php component.
CVSS 7.1
CVE-2024-27525 WRITEUP MEDIUM WRITEUP
Chamilo LMS <1.11.26 - XSS
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the home.php component.
CVSS 4.6
CVE-2024-30616 WRITEUP HIGH WRITEUP
Chamilo Lms - Incorrect Authorization
Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Non-admin users can manipulate sensitive profiles information, posing a significant risk to data integrity.
CVSS 8.8
CVE-2024-30617 WRITEUP MEDIUM WRITEUP
Chamilo Lms - CSRF
A Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.26 "/main/social/home.php," allows attackers to initiate a request that posts a fake post onto the user's social wall without their consent or knowledge.
CVSS 5.4
CVE-2024-30618 WRITEUP MEDIUM WRITEUP
Chamilo Lms - XSS
A Stored Cross-Site Scripting (XSS) Vulnerability in Chamilo LMS 1.11.26 allows a remote attacker to execute arbitrary JavaScript in a web browser by including a malicious payload in the 'content' parameter of 'group_topics.php'.
CVSS 6.1
CVE-2024-30619 WRITEUP HIGH WRITEUP
Chamilo LMS Version 1.11.26 - Info Disclosure
Chamilo LMS Version 1.11.26 is vulnerable to Incorrect Access Control. A non-authenticated attacker can request the number of messages and the number of online users via "/main/inc/ajax/message.ajax.php?a=get_count_message" AND "/main/inc/ajax/online.ajax.php?a=get_users_online."
CVSS 7.5