漏洞标题
N/A
漏洞描述信息
Chamilo Chamilo-lms版本1.11.8及更早之前在main/messages/new_message.php、main/social/personal_data.php、main/inc/lib/TicketManager.php、main/ticket/ticket_details.php中存在跨站点脚本(XSS)漏洞,可能导致管理员收到带有XSS代码的的消息,以窃取用户凭据。在主题字段中可以使用XSS负载创建 ticket。此攻击似乎可以通过在主题字段中的负载用户<svg/onload=alert(1)>进行利用。这使得能够获得所有具有查看 tickets 权限的用户的用户凭据。在commit 33e2692a37b5b6340cf5bec1a84e541460983c03之后,该漏洞似乎在1.11.x版本中被修复。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
Chamilo Chamilo-lms version 1.11.8 and earlier contains a Cross Site Scripting (XSS) vulnerability in main/messages/new_message.php, main/social/personal_data.php, main/inc/lib/TicketManager.php, main/ticket/ticket_details.php that can result in a message being sent to the Administrator with the XSS to steal cookies. A ticket can be created with a XSS payload in the subject field. This attack appears to be exploitable via <svg/onload=alert(1)> as the payload user on the Subject field. This makes it possible to obtain the cookies of all users that have permission to view the tickets. This vulnerability appears to have been fixed in 1.11.x after commit 33e2692a37b5b6340cf5bec1a84e541460983c03.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Chamilo LMS 跨站脚本漏洞
漏洞描述信息
Chamilo LMS是Chamilo协会的一套开源的在线学习和协作系统。该系统支持创建教学内容、远程培训和在线答题等。 Chamilo Chamilo-lms 1.11.8及之前版本中多个文件存在跨站脚本漏洞。远程攻击者可利用该漏洞窃取cookie信息。(多个文件包括:‘main/messages/new_message.php’、‘main/social/personal_data.php’、‘main/inc/lib/TicketManager.php’和‘main/ticket/ticket_de
CVSS信息
N/A
漏洞类别
跨站脚本