CVE-2021-37391 in LMS
Summary
by MITRE • 08/11/2021
A user without privileges in Chamilo LMS 1.11.14 can send an invitation message to another user, e.g., the administrator, through main/social/search.php, main/inc/lib/social.lib.php and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/03/2025
The vulnerability CVE-2021-37391 represents a critical stored cross-site scripting flaw within Chamilo Learning Management System version 1.11.14 that undermines the platform's security integrity. This vulnerability specifically affects the social network invitation feature implemented through the main/social/search.php endpoint and leverages the main/inc/lib/social.lib.php library. The flaw allows unprivileged users to exploit the system's invitation mechanism to inject malicious scripts that persist within the application's database, making it a stored XSS vulnerability that can target privileged users including administrators.
The technical implementation of this vulnerability occurs through the social network invitation functionality where user input is not properly sanitized or validated before being stored and subsequently rendered in the web interface. When an administrator or other privileged user accesses the invitation-related pages, the malicious script executes in their browser context, potentially enabling attackers to steal session cookies, hijack administrator sessions, or execute arbitrary code on the target system. This type of vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws where untrusted data is improperly handled in web applications.
The operational impact of this vulnerability is severe as it creates a persistent attack vector that can be exploited by any user with basic access privileges to compromise the entire administrative environment. Attackers can leverage this vulnerability to gain unauthorized access to administrative functions, modify user permissions, access sensitive course materials, or even escalate their privileges within the system. The stored nature of the XSS means that the malicious payload remains active even after the initial injection, continuously affecting any user who views the affected content, including system administrators who may inadvertently click on the malicious invitation.
Security professionals should note that this vulnerability aligns with ATT&CK technique T1566.001 which covers spearphishing with a link, and T1071.001 which involves application layer protocol usage. Organizations running Chamilo LMS 1.11.14 must implement immediate mitigations including input validation and output encoding for all user-supplied content, particularly within social networking features. The recommended approach involves sanitizing all invitation messages and user-generated content through proper HTML escaping, implementing content security policies, and restricting access to sensitive administrative functions through additional authentication layers. Patch management should be prioritized to upgrade to versions that address this specific stored XSS vulnerability in the social invitation system.