Chamilo Learning Management System Stored Cross-Site Scripting Vulnerability in CSV Filename Handling

A stored cross-site scripting vulnerability has been identified in Chamilo Learning Management System versions prior to 1.11.30. This vulnerability arises from inadequate sanitization of CSV filenames during the user import process. An attacker could upload a CSV file with a malicious name, such as one containing embedded JavaScript, which would be executed when the file is accessed by an administrator or a user with permission to view import logs or file histories. The issue has been resolved in version 1.11.30.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user viewing the affected page, which could lead to session hijacking or compromise of administrative accounts.

Reproduction

To reproduce this vulnerability, create a CSV file for user import with a name that includes a JavaScript payload, such as an image tag with an 'onerror' event. Log into Chamilo as an administrator or a user with similar privileges, and upload the file through the user import interface. The JavaScript payload will execute either immediately or when the import history is accessed.

Remediation

Users can update to Chamilo version 1.11.30 or later, where this vulnerability has been patched.