Chamilo LMS 1.11.14 Cross Site Scripting / Account Takeover

Chamilo LMS version 1.11.14 suffers from a persistent cross site scripting vulnerability.

MD5 | 2aec0cc4998138800d8ac868f08ddcb0

# Exploit Title: Chamilo LMS 1.11.14 - Account Takeover
# Date: July 21 2021
# Exploit Author: sirpedrotavares
# Vendor Homepage:
# Software Link:
# Version: Chamilo-lms-1.11.x
# Tested on: Chamilo-lms-1.11.x
# CVE: CVE-2021-37391

Description: A user without privileges in Chamilo LMS 1.11.x can send an
invitation message to another user, e.g., the administrator, through
main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on
the administration side via a stored XSS vulnerability via social network
the send invitation feature. .
CVE ID: CVE-2021-37391
CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Affected parameter: send private message - text field
Payload: <img src=x onerror=this.src='

Steps to reproduce:
1. Navigate to the social network menu
2. Select the victim profile
3. Add the payload on the text field
4. Submit the request and wait for the payload execution

*Impact:* By using this vulnerability, an unprivileged user can steal
cookies from an admin account or force the administrator to create an
account with admin privileges with an HTTP 302 redirect.
*Mitigation*: Update the Chamilo to the latest version.

Com os meus melhores cumprimentos,
*Pedro Tavares*
Founder and Editor-in-Chief at
Co-founder of CSIRT.UBI
Creator of 0xSI_f33d <> | @sirpedrotavares
<> | 0xSI_f33d

Related Posts