Julio Montoya

6 exploits Active since Feb 2021
CVE-2021-26746 WRITEUP MEDIUM WRITEUP
Chamilo 1.11.14 - Cross-Site Scripting via Agenda List URI Parameter
Chamilo 1.11.14 allows XSS via a main/calendar/agenda_list.php?type= URI.
CVSS 6.1
CVE-2021-32925 WRITEUP MEDIUM WRITEUP
Chamilo 1.11.0-1.11.15 - Authenticated XML External Entity Injection in User Import
admin/user_import.php in Chamilo 1.11.x reads XML data without disabling the ability to load external entities.
CVSS 6.5
CVE-2021-34187 WRITEUP CRITICAL WRITEUP
Chamilo < 1.11.14 - Unauthenticated SQL Injection via Search Field or Filters Parameter
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
CVSS 9.8
CVE-2021-35413 WRITEUP HIGH WRITEUP
Chamilo LMS 1.11.0-1.11.16 - Authenticated Remote Code Execution via .htaccess File Upload
A remote code execution (RCE) vulnerability in course_intro_pdf_import.php of Chamilo LMS v1.11.x allows authenticated attackers to execute arbitrary code via a crafted .htaccess file.
CVSS 8.8
CVE-2021-35414 WRITEUP CRITICAL WRITEUP
Chamilo LMS 1.11.0-1.11.16 - Unauthenticated SQL Injection via doc Parameter
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.
CVSS 9.8
CVE-2021-35415 WRITEUP MEDIUM WRITEUP
Chamilo LMS 1.11.0 through 1.11.16 - Stored Cross-Site Scripting
A stored cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the course "Title" and "Content" fields.
CVSS 4.8