Skip to main content

Chamilo LMS: CVE-2024-27524 & CVE-2024-27525



CVE-2024-27524: Stored XSS in tickets
Severity: High (Base Score 7.1)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H 
Mitigation: Upgrade to Chamilo LMS 1.11.28 and above.

CVE-2024-27525: Self XSS in social network
Base Score: Medium (Base Score 4.6)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L
Mitigation: Upgrade to Chamilo LMS 1.11.28 and above.

Overview

This advisory covers the discovery of two vulnerabilities within Chamilo LMS, an open-source learning management system (LMS) widely used across educational institutions. These vulnerabilities—stored cross-site scripting (Stored XSS) and self-cross-site scripting (Self XSS)—pose different levels of security risks but highlight critical considerations for secure system administration and user protection.

Summary of Vulnerabilities

Both vulnerabilities were responsibly disclosed, with Chamilo's development team implementing necessary patches to mitigate potential exploits. It’s advised for all users to update to Chamilo LMS version 1.11.28 or above to prevent exploitation.

Detailed Vulnerability Analysis

Stored XSS (CVE-2024-27524)
Severity: High
Description: This Stored XSS vulnerability, identified within the ticketing module, allows attackers to inject malicious code directly into the Chamilo LMS environment.
Attack Vector: An attacker can use the following vulnerable endpoint to execute malicious code whenever a user accesses or interacts with compromised data:
http://chamilo-lms.local/main/ticket/new_ticket.php?project_id=1&

Payload Example: <img src=x onerror=alert(1) >.png
  Listing 1: Create a new project ticket with malicious script

Stored XSS vulnerabilities are especially concerning, as they allow the attacker’s script to persist in the application, presenting a severe risk of data theft, session hijacking, and unauthorized redirection. Users accessing the infected area unknowingly execute the script, which could lead to potential loss of control over their accounts.

Listing 2: Triggering the Stored XSS vulnerability
Self XSS (CVE-2024-27525)
Severity: Medium
Description: The Self XSS vulnerability is found in Chamilo’s social network module and requires a user’s active input to execute the script, making it a somewhat lower-risk issue.
Attack Vector: Users are vulnerable when interacting with the following endpoint, allowing the code to run within their own session but requiring intentional triggering:
http://chamilo-lms.local/main/social/home.php

Payload Example: <img src=x onerror="alert(1)">.png
Listing 3: Triggering the Self XSS vulnerability through user interaction

While Self XSS poses less of a threat due to its dependency on user initiation, it can still serve as a gateway for social engineering attacks, where users unknowingly enable the malicious script by engaging with the embedded link or script.

Recommendations for Users and Administrators
To mitigate these vulnerabilities, it is critical to upgrade to Chamilo LMS 1.11.28 or later. The update includes patches addressing these XSS vulnerabilities to protect both administrators and users from potential exploitation. Here are additional security best practices:

1.Update Regularly: Ensure all Chamilo LMS instances are updated promptly upon the release of security patches.
2.Review User Permissions: Restrict permissions to limit potential exposure to high-privileged users.
3.Implement Security Training: Educate users on the risks of XSS, particularly in environments with social networking or ticketing features.

Final Thoughts

The discovery of these vulnerabilities underscores the importance of consistent security monitoring and collaboration within the open-source community. Working with the Chamilo team on these issues has been a reminder of the shared commitment to securing digital learning tools that empower institutions worldwide. We extend this advisory to all Chamilo users to reinforce their system’s defenses and urge proactive steps to protect the integrity of educational platforms.

Acknowledgments: Ι thank Chamilo’s development team for their swift collaboration and response, setting an example of dedication to the security of open-source software.


This Article Was Sponsored By:




Popular posts from this blog

Open eClass – CVE-2024-26503: Unrestricted File Upload Leads to Remote Code Execution

During an assessment, I identified a severe security vulnerability within Open eClass, an e-learning platform extensively utilized across educational institutions, notably within Greece, where it is deployed by virtually all Greek Universities and educational entities. Open eClass, developed by GUnet (Greek Universities Network), is instrumental in delivering asynchronous e-learning services. The vulnerability, cataloged under CVE-2024-26503, involves an unrestricted file upload flaw that enables remote code execution (RCE), impacting versions 3.15 and earlier of the platform. This critical security lapse presents a significant risk, potentially allowing unauthorized access and control over the system, thereby compromising the integrity and security of the educational infrastructure. Affected Versions: ●   version <=  3.15 CVSSv3.1 Base Score: 9.1 ( Critical ) CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H Exploitation Guide The vulnerability can be e...
Read more

How I Use Obsidian for Penetration Testing, CVE Hunting, and Studying

In the ever-evolving realm of cyber security, the tools and techniques at our disposal are as varied as the threats we aim to counteract. Among these tools, note-taking applications play a pivotal role, not just in organizing our thoughts but in streamlining our entire workflow. Today, I'm excited to share how Obsidian, a tool I embraced over two and a half years ago while preparing for my eJPT exam, has become an indispensable ally in my journey through penetration testing, CVE hunting, and continuous learning. If you're not yet familiar with Obsidian, it's a robust note-taking application that operates on a local collection of plain text Markdown files. What sets it apart is its capability to interlink ideas, forming an expansive web of knowledge that is both intuitive and comprehensive to explore. Through considerable customization, I've developed what I consider to be an ideal method for consolidating notes, insights, and projects into a unified workspace. Here'...
Read more