{"id":"CVE-2022-37160","details":"Claroline 13.5.7 and prior allows an authenticated attacker to elevate privileges via the arbitrary creation of a privileged user. By combining the XSS vulnerability present in several upload forms and a javascript request to the present API, it is possible to trigger the creation of a user with administrative rights by opening an SVG file as an administrator user.","modified":"2026-03-13T05:56:45.847993Z","published":"2022-08-25T17:15:08.233Z","references":[{"type":"EVIDENCE","url":"https://github.com/matthieu-hackwitharts/claroline-CVEs/blob/main/csrf/csrf.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/claroline/claroline","events":[{"introduced":"0"},{"last_affected":"37f16236677fb445c95d0000bb1fbd2ba5063a44"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"13.5.7"}]}}],"versions":["13.0.10","13.0.11","13.0.12","13.0.13","13.0.14","13.0.15","13.0.16","13.0.17","13.0.18","13.0.19","13.0.2","13.0.20","13.0.21","13.0.22","13.0.23","13.0.24","13.0.25","13.0.26","13.0.27","13.0.28","13.0.29","13.0.3","13.0.30","13.0.31","13.0.32","13.0.33","13.0.34","13.0.35","13.0.36","13.0.37","13.0.38","13.0.39","13.0.4","13.0.40","13.0.41","13.0.42","13.0.43","13.0.44","13.0.45","13.0.46","13.0.5","13.0.6","13.0.7","13.0.8","13.0.9","13.1.0","13.1.1","13.1.2","13.1.3","13.1.4","13.3.0","13.4.0","13.4.1","13.4.2","13.4.3","13.5.0","13.5.1","13.5.2","13.5.3","13.5.4","13.5.5","13.5.6","13.5.7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37160.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}