Multiple directory traversal vulnerabilities in Dokeos 1.6 and earlier, and possibly Claroline, allow remote attackers to (1) delete arbitrary files or directories via the delete parameter to claroline/scorm/scormdocument.php, (2) move arbitrary files via the move_to and move_file parameters to claroline/document/document.php, or determine the existence of arbitrary files via the file parameter to (3) claroline/scorm/showinframes.php or (4) claroline/scorm/contents.php.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dokeos | dokeos | * |
Multiple PHP remote file inclusion vulnerabilities in Claroline 1.7.5 allow remote attackers to execute arbitrary PHP code via a URL in the (1) clarolineRepositorySys parameter in ldap.inc.php and the (2) claro_CasLibPath parameter in casProcess.inc.php.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dokeos | dokeos | 1.5.4 |
| dokeos | dokeos | 1.5.3 |
| dokeos | dokeos | 1.5.5 |
| claroline | claroline | 1.5 |
| dokeos | dokeos | 1.6.4 |
| claroline | claroline | 1.6_rc1 |
| claroline | claroline | 1.7.4 |
| claroline | claroline | 1.7.2 |
| claroline | claroline | 1.6 |
| claroline | claroline | 1.7.5 |
| dokeos | dokeos | 1.5 |
| dokeos | dokeos | 1.6_rc2 |
| claroline | claroline | 1.5.4 |
| dokeos | dokeos | 1.4 |
| claroline | claroline | 1.5.3 |
| claroline | claroline | 1.6_beta |
PHP remote file inclusion vulnerability in authldap.php in Dokeos 1.6.4 allows remote attackers to execute arbitrary PHP code via a URL in the includePath parameter.
CVSS 2.0
Severity: MEDIUM
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dokeos | open_source_learning_and_knowledge_management_tool | 1.4 |
| dokeos | open_source_learning_and_knowledge_management_tool | 1.6.4 |
| dokeos | open_source_learning_and_knowledge_management_tool | 1.5 |
| dokeos | open_source_learning_and_knowledge_management_tool | 1.5.3 |
| dokeos | open_source_learning_and_knowledge_management_tool | 1.6_rc2 |
| dokeos | open_source_learning_and_knowledge_management_tool | 1.5.4 |
| dokeos | open_source_learning_and_knowledge_management_tool | 1.5.5 |
Multiple PHP remote file inclusion vulnerabilities in claro_init_global.inc.php in Dokeos 1.6.3 and earlier, and Dokeos community release 2.0.3, allow remote attackers to execute arbitrary PHP code via a URL in the (1) rootSys and (2) clarolineRepositorySys parameters, and possibly the (3) lang_path, (4) extAuthSource, (5) thisAuthSource, (6) main_configuration_file_path, (7) phpDigIncCn, and (8) drs parameters to (a) testheaderpage.php and (b) resourcelinker.inc.php.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dokeos | dokeos_community_release | 2.0.3 |
| dokeos | dokeos | * |
Dokeos 2.1.1 has multiple XSS issues involving "extra_" parameters in main/auth/profile.php.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 2.3 | 2.7 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dokeos | dokeos | 2.1.1 |
SQL injection vulnerability in Dokeos 2.2 RC2 and earlier allows remote attackers to execute arbitrary SQL commands via the language parameter to index.php.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-89,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| dokeos | dokeos | * |
| dokeos | dokeos | 2.0 |
| dokeos | dokeos | 2.1 |