Chamilo LMS Reflected Cross-Site Scripting Vulnerability in Exercise Question List Admin Panel

A reflected cross-site scripting vulnerability has been identified in Chamilo LMS versions prior to 2.0.0-RC.3. This issue resides in the exercise question list admin panel, where unsanitized GET parameters are merged and output into HTML href attributes without proper encoding. As a result, an attacker can execute arbitrary JavaScript in the browser of an authenticated teacher.

Impact

Exploitation of this vulnerability could lead to session cookie theft, allowing for unauthorized actions such as grade manipulation, course content modification, and execution of CSRF attacks with teacher privileges.

Reproduction

To reproduce this vulnerability, an authenticated teacher can be targeted by sending a crafted GET request that includes a parameter key with a double quote. The pagination feature will then inject the unsanitized parameter into an HTML href attribute, executing any included JavaScript when the link is clicked.

Remediation

Users can upgrade to Chamilo LMS version 2.0.0-RC.3 or later to address this vulnerability.