CVE-2021-35414

Name: CVE-2021-35414
Creator: NVD / NIST
Published: 2021-12-03T22:15:07.58+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 1.80%

Last modified Jun 17, 2026

CVE-2021-35414 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.. EPSS estimates a 1.80% chance of exploitation in the next 30 days.

Description

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.80%

75.8th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-89

Affected Software

Vendor	Product	Versions
Chamilo	Chamilo Lms	>= 1.11.0, <= 1.11.16

References

https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#unauthenticated-sql-injection-2-in-pluginExploit, Patch, Third Party Advisory
https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#unauthenticated-sql-injection-in-compilatio-moduleExploit, Patch, Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/36149c1ff99973840a809bb865f23e1b23d6df00Patch, Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/6a98e32bb04aa66cbd0d29ad74d7d20cc7e7e9c5Patch, Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/f398b5b45c019f873a54fe25c815dbaaf963728bPatch, Third Party Advisory
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-59-2021-05-13-High-impact-low-risk-Unauthenticated-SQL-injection-vulnerability-when-a-module-is-enabledPatch, Vendor Advisory
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-65-2021-05-15-High-impact-very-high-risk-Unauthenticated-SQL-injection-in-pluginPatch, Vendor Advisory
https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#unauthenticated-sql-injection-2-in-pluginExploit, Patch, Third Party Advisory
https://github.com/andrejspuler/writeups/tree/main/chamilo-lms#unauthenticated-sql-injection-in-compilatio-moduleExploit, Patch, Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/36149c1ff99973840a809bb865f23e1b23d6df00Patch, Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/6a98e32bb04aa66cbd0d29ad74d7d20cc7e7e9c5Patch, Third Party Advisory
https://github.com/chamilo/chamilo-lms/commit/f398b5b45c019f873a54fe25c815dbaaf963728bPatch, Third Party Advisory
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-59-2021-05-13-High-impact-low-risk-Unauthenticated-SQL-injection-vulnerability-when-a-module-is-enabledPatch, Vendor Advisory
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-65-2021-05-15-High-impact-very-high-risk-Unauthenticated-SQL-injection-in-pluginPatch, Vendor Advisory

Timeline

Published: Dec 3, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-35414?

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload.php.

How severe is CVE-2021-35414?

CVE-2021-35414 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 1.80% probability of exploitation in the next 30 days.

How do I fix CVE-2021-35414?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-35414?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST