Sunday, February 27, 2022

Chamilo LMS 1.11.14 - Account Takeover

# Exploit Title: Chamilo LMS 1.11.14 - Account Takeover
# Date: July 21 2021
# Exploit Author: sirpedrotavares
# Vendor Homepage:
# Software Link:
# Version:  Chamilo-lms-1.11.x
# Tested on:  Chamilo-lms-1.11.x
# CVE: CVE-2021-37391

Description:  A user without privileges in Chamilo LMS 1.11.x can send an
invitation message to another user, e.g., the administrator, through
main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on
the administration side via a stored XSS vulnerability via social network
the send invitation feature.  .
CVE ID: CVE-2021-37391
CVSS:  Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Affected parameter: send private message - text field
Payload:  <img src=x onerror=this.src='

Steps to reproduce:
  1. Navigate to the social network menu
  2. Select the victim profile
  3. Add the payload on the text field
  4. Submit the request and wait for the payload execution

*Impact:* By using this vulnerability, an unprivileged user can steal
cookies from an admin account or force the administrator to create an
account with admin privileges with an HTTP 302 redirect.
*Mitigation*: Update the Chamilo to the latest version.

Com os meus melhores cumprimentos,
*Pedro Tavares*
Founder and Editor-in-Chief at
Co-founder of CSIRT.UBI
Creator of 0xSI_f33d <> | @sirpedrotavares
<> | 0xSI_f33d

Copyright © 2021 Vulnerability Database | Cyber Details™

thank you Templateism for the design - You should have written the code a little more complicated - Nothing Encrypted anymore