Description
Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues#Issue-81-2021-07-26-High-impact-Low-risk-Zero-Code-RCE-in-admin
Scores
CVSS v3
6.8
EPSS
0.0080
EPSS Percentile
52.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (1)
chamilo/chamilo
1.11.14
Published
Mar 21, 2022
Tracked Since
Feb 18, 2026