Skip to main content
HomePentest-Tools.com Logo

Vulnerabilities & Exploits

Chamilo - Remote Code Execution (CVE-2023-34960)

Severity
CVSSv3 Score
9.8
CVE
CVE-2023-34960
Vulnerability description

Chamilo is affected by a Remote Code Execution vulnerability inside the additional_webservices.php component. The root cause of this vulnerability is improper sanitization of user-provided input when accessing additional_webservices.php endpoint. This allows an unauthenticated malicious attacker to execute commands on the Chamilo server.

Risk description

The risk exists that a remote unauthenticated attacker can fully compromise the Chamilo server in order to steal confidential information, install ransomware or pivot to the internal network.

Exploit capabilities

Sniper can gain unauthenticated Remote Code Execution on the target system and extract multiple artefacts as evidence.

Recommendation

Update Chamilo to one the latest available version.

References

https://github.com/chamilo/chamilo-lms/blob/d24bddb2227d226fdd1bfaa31f51850d7343186a/public/main/webservices/additional_webservices.php#L63

Codename
Not available
Detectable with
Network Scanner
Exploitable with Sniper
Yes
Vuln date
Jun 2023
Published at
Updated at
Software Type
CMS
Vendor
BeezNest
Product
Chamilo