This can be potentially exploited for privilege escalation, site hijacking, etc. The issue is present in the 'Big file upload' feature of Chamilo as a malicious user can upload a malicious big file which will be available for download by all users. This can be exploited by attackers to drop any malicious code in the Chamilo site.
Chamilo 1.11.16 is also vulnerable to a cross-site request forgery issue which could be exploited by malicious users to steal confidential data. In order to exploit this issue, a malicious user must convince another user to follow a malicious link.
It is also highly likely that the Chamilo 1.11.16 is also affected by other critical vulnerabilities. These are the recommended steps which must be taken immediately in order to protect the system & data against security issues.
END users: Update to the latest version of Chamilo (1.11.16 or higher).
Admin users: Patch the web applications (Site, Forum, etc.) which are running on the affected version of Chamilo.
Patch the operating system in use (windows, Linux) against major vulnerabilities.
If possible, disable remote management for the web applications (Site, Forum, etc.) which are running on the affected version of Chamilo.
Disable file upload for the web applications (Site, Forum, etc.) which are running on the affected version of Chamilo.
Disable remote management for the web applications (
Chamilo FAQ
Q: What are the possible impacts of these vulnerabilities?
A: The attacks may allow the malicious user to perform privilege escalation, site hijacking, etc.
Timeline
Published on: 10/17/2022 18:15:00 UTC
Last modified on: 10/19/2022 05:21:00 UTC