Chamilo LCMS Connect version 4.1 suffers from a persistent cross site scripting vulnerability. Originally added in March of 2015 but has since been updated with new information.
b5e01df77db1dc82d6cd9768886ae5f007c2a46c66507269d6cdc9902e711752
#Affected Vendor: http://lcms.chamilo.org/
#Date: 27/03/2015
#Discovered by: Joel Vadodil Varghese
#Type of vulnerability: Stored XSS
#Tested on: Windows 7
#Product: LCMS Connect
#Version: 4.1
#Description: Chamilo is an open-source (under GNU/GPL licensing)
e-learning and content management system, aimed at improving access to
education and knowledge globally. Chamilo LCMS is a completely new software
platform for e-learning and collaboration. Chamilo LCMS connect is
vulnerable to stored xss vulnerability. The parameter "site_name" is the
vulnerable parameter which will lead to its compromise.
#Proof of Concept (PoC): site_name=<img src="" onerror="alert('XSS')"/>
*Reported to Vendor:* 28 Mar 2015
*Patch Confirmation:* 01 Apr 2015
*References:*
*Mail sent to Vendor: *
http://lists.chamilo.org/pipermail/dev-lcms/2015-April/015386.html
*Patch Confirmation:*
https://bitbucket.org/chamilo/core/commits/96bc613dccebb91c80d53457432b0fd2fbe3dece