Chamilo LMS Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Chamilo LMS versions through 1.11.34. This issue occurs in the session category listing page, where the 'keyword' parameter from the request is directly echoed into an HTML href attribute without proper encoding or sanitization. An attacker can exploit this by injecting arbitrary HTML or JavaScript, breaking out of the attribute context with a specific sequence followed by a malicious payload. The vulnerability is triggered when the number of session categories exceeds 20, causing the pagination controls to render.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, an authenticated user can navigate to the session category listing page in Chamilo LMS version 1.11.34 or prior. Once there, if the number of session categories exceeds 20, the pagination controls will render. At this point, the 'keyword' parameter can be manipulated to inject a malicious payload into the href attribute of the rendered page.

Remediation

Users can upgrade to Chamilo LMS version 1.11.36, where this vulnerability has been patched.