Description
Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can result in Unauthenticated remote code execution. This attack appear to be exploitable via a simple GET request to the api endpoint. This vulnerability appears to have been fixed in After commit 0de84700648f098c1fbf6b807dee28ec640efe62.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/chamilo/chamilo-lms/commit/0de84700648f098c1fbf6b807dee28ec640efe62
Mailing List, Third Party Advisory x_refsource_misc
https://ibb.co/jBxe6y
Scores
CVSS v3
9.8
EPSS
0.0341
EPSS Percentile
87.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (5)
chamilo/chamilo_lms
1.11.0 (10 CPE variants)
chamilo/chamilo_lms
1.11.2
chamilo/chamilo_lms
1.11.4 (5 CPE variants)
chamilo/chamilo_lms
1.11.6 (2 CPE variants)
chamilo/chamilo_lms
1.11.8 (2 CPE variants)
Published
Jul 23, 2018
Tracked Since
Feb 18, 2026