CVE-2024-50337 | THREATINT

Description

Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone to send requests to any URL on server's behalf, which results in unauthenticated blind SSRF. This issue has been patched in version 1.11.28.

PUBLISHED Reserved 2024-10-22 | Published 2026-03-02 | Updated 2026-03-02 | Assigner GitHub_M

MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 1.11.28

affected

References

github.com/...lo-lms/security/advisories/GHSA-rp2w-g734-jf8h

github.com/...ommit/43a9bd1fb8b3f57e7935a6a6bc48975e2063b01b

github.com/chamilo/chamilo-lms/releases/tag/v1.11.28

cve.org (CVE-2024-50337)

nvd.nist.gov (CVE-2024-50337)

Download JSON