nvd description updated
parent
daba6e2efb
commit
f8931e8381
|
@ -5,7 +5,7 @@ info:
|
|||
author: DhiyaneshDK
|
||||
severity: high
|
||||
description: |
|
||||
There is an OS command injection vulnerability in Chamilo versions 1.11.18 and lower, which allows unauthenticated remote attackers to execute arbitrary commands. The vulnerability is present in the /main/webservices/additional_webservices.php endpoint and resulted because of poor user input sanitization in the powerpoint filename inside the wsConvertPpt function which has an exec function call. Attackers can perform SOAP requests with commands embedded in a powerpoint file's name and execute them via the exec call inside the wsConvertPpt function.
|
||||
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
|
||||
reference:
|
||||
- https://sploitus.com/exploit?id=FD666992-20E1-5D83-BA13-67ED38E1B83D
|
||||
- https://github.com/Aituglo/CVE-2023-34960/blob/master/poc.py
|
||||
|
|
Loading…
Reference in New Issue