This repo describes several vulns found in Claroline Connect app, in its current version : 13.5.7
RCE via arbitrary file upload (CVE-2022-37159) : https://github.com/matthieu-hackwitharts/claroline-CVEs/blob/main/rce/rce_file_upload.md
'Location' stored XSS (CVE-2022-37162) : https://github.com/matthieu-hackwitharts/claroline-CVEs/blob/main/calendar_xss/calendar_xss.md
Admin account takeover (CSRF) via XSS because of arbitrary file upload (CVE-2022-37160) : https://github.com/matthieu-hackwitharts/claroline-CVEs/blob/main/csrf/csrf.md
Stored XSS via SVG file upload (CVE-2022-37161) : https://github.com/matthieu-hackwitharts/claroline-CVEs/blob/main/svg_xss/svg_xss.md