mPDF is a PHP library that generates PDF files from UTF-8 encoded HTML.
Chamilo uses this library to convert HTML to PDF.
It has been discovered that this can be abused in all 1.11.* versions by anyone able to edit the HTML (so with edition permissions) to trigger a Remote Code Execution vulnerability.
Softaculous, a 1-click app installer has released an update for Chamilo to patch this.
Customers installing new Chamilo applications will use the updated version.
While existing installations were not updated (since the current Chamilo version number is the same), Chamilo believes there are enough conditions and features in Chamilo to mitigate or remove this issue.
There is every reason to believe so as the team behind Chamilo LMS has a great track record for fixing reported security issues & publishing fixes prior to the official publication of the vulnerabilities on official sites.
So when the Chamilo team releases a new version (including the Chamilo 2.0 which is still in development), Softaculous will release the new version.
And existing users can then upgrade their installations to the latest version with the patch.
For more information on the nature of this vulnerability, please visit research.securitum.com
If you want to manually tweak your files, then visit github.com/chamilo/chamilo-lms
Note that this is not limited to Chamilo only.
It is an issue that affects any application using the library.
Chamilo is a learning management system (LMS) and web application often used by schools and educational institutions.
If you would love to know more about this LMS, please visit www.webhostingmagic.com/chamilo-lms-hosting.html to learn more.
Softaculous automates the installation of web applications to a website so that you can focus on using your apps, rather than spending time on installing/managing them.