# CVE-2021-46398 Chamilo-LMS 1.11.14 RCE
Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page.
* One-Click Technique: An Attacker who has a student account can create a malicious web page or a malicious SVG image file and upload the file to the "My Productions" section of the student profile page, then he can copy the URL of that file and send it to the Chamilo Admin User. When the Admin user loads the file in his browser with an active chamilo session, in the background it will upload a plugin (.zip file) to chamilo. Then the attacker can simply navigate to /plugin/exploited-directory/ and execute malicious commands.
Advantages of this exploit: No need to upload a malicious file to /app/upload/users/ directory , No need to send a link or URL to the Admin. When the admin visits attacker's profile, the attacker gets the RCE ;-) .