Chamilo Security

Security advisories will be published within 2 weeks of today.

We have just released version 1.11.38 of Chamilo at record speed, fixing multiple issues, some of them CRITICAL. Notably, one of these was accessible without authentication. Please update as soon as possible to protect your Chamilo portal and the personal data of your users.

Also make sure database server details at the beginning of app/config/configuration.php are the correct ones, as the file might have been modified. If you use web services, also update the value of security_key in configuration.php.

We are actively working on a fix and will provide a new version for download in the next few hours. Please also check for scripts like rce_[somenumber].php or up_[some-number].php in your files, and verify configuration.php for any added code like file_put_contents() and remove

🚨We have received several reports of Chamilo 1.11.* (including 1.11.36) portals getting cracked on the basis of a new unauthenticated RCE vulnerability. It only affects portals with the main/install/ directory. If you still have it, please remove it ASAP! [1/2]

📢Chamilo 1.11.36 is now available for download. It contains a few more fixes to vulnerabilities of different types (on top of 1.11.34, released recently). Please update your Chamilo platform soon. chamilo.org/en/download/

📢Chamilo 1.11.34 is now available for download. It contains a number of fixes to vulnerabilities of different types, 1 of them CRITICAL. Please update your Chamilo platform as soon as possible to avoid data loss/theft. chamilo.org/en/download/

Today, we have released Chamilo 1.11.32, which includes many vulnerability fixes (through 1.11.30). Please update soon. Stay safe. chamilo.org/en/download/

Our security page has been updated accordingly github.com/chamilo/chamil…

🪂Chamilo 1.11.28 has just landed, with many security fixes. Update today to help secure the Chamilo network. Together, we are stronger! 🚀 chamilo.org/download

New reports of vulnerabilities have been appearing since early this week. These vulnerabilities have been addressed (as indicated in the original report by Quarkslab) but they consist of individual patches. We are working on a 1.11.28 release which includes those fixes.

Chamilo 1.11.26 is out 🥳This version includes highly-recommended security updates and a few improvements on top of the previous version. Please update ASAP to keep your data and servers safe. chamilo.org/download

New critical vulnerabilities have been discovered (and fixes are available) in Chamilo 1.11.24. We urge you to update to 1.11.26 ASAP to avoid any issue with user data. Download 1.11.26 from github.com/chamilo/chamil… or check each patch at #section-6" target="_blank" rel="nofollow noopener">support.chamilo.org/projects/chami…

A new vulnerability (IDOR) has been detected, affecting Chamilo 1.11 portals installed or updated since 2017. Admins are encouraged to use the patch available here #Issue-127-2023-08-23-Moderate-impact-High-risk-IDOR-in-messages" target="_blank" rel="nofollow noopener">support.chamilo.org/projects/chami… (affecting only 2 files for Chamilo 1.11.22) or to update as soon as 1.11.24 is released.

All known vulnerabilities have been patched in this new version. Updating your portal using the standard update procedure (backup, then overwrite files on your existing portal) is the easiest possible way to keep your data and servers safe. Please take the appropriate action soon

Chamilo 1.11.22 is out 🥳 This version includes highly-recommended security updates and a few improvements on top of the previous version. Please update ASAP to keep your data and servers safe. chamilo.org/download

So if you're not on Windows and you've already deleted the additional_webservices.php script, you're already mostly OK 😉

One critical issue only affects Chamilo on Windows servers, while the other further exploits a vulnerable file (main/webservices/additional_webservices.php) which can safely be removed if you don't use the remote PPT converter extension.

New critical vulnerabilities have been discovered (and fixes are available) in Chamilo 1.11.20. We urge you to apply those pages ASAP, as we race to provide a new version 1.11.22 to allow for an easier update process. #section-6" target="_blank" rel="nofollow noopener">support.chamilo.org/projects/chami…

This issues affects most previous versions of Chamilo. Version 1.11.20 is safe in that regard.

We have received numerous reports of the RCE mentioned above being exploited since past yesterday. If you cannot update your Chamilo portal safely, please delete the main/webservices/additional_webservices.php file (or block access to it) as a quick fix. Be safe.

Hey chamilovers! We have just published 1.11.20, which includes a fix for a critical RCE vulnerability, so please update soon. We care about u and ur users. Don't let bad guys abuse your Chamilo installation. As always, the official source is on Github: github.com/chamilo/chamil…