Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.
The vulnerability results from improper neutralization of special characters in parameters passed to the webservices endpoint. An attacker can construct a crafted HTTP request containing malicious special characters that are not properly filtered, leading to injection and execution of arbitrary system commands on the server side. The mechanism constitutes a bypass of the previous fix for CVE-2023-34960, indicating that the original mitigation was insufficient.
An unauthenticated attacker can obtain full remote code execution (RCE) on the server hosting Chamilo LMS, which in practice means the ability to take control of the system, steal data, install backdoors, or perform further lateral movement in the network.
Chamilo LMS should be updated to a version containing fixes indicated in the vendor's commits (37be9ce7243a30259047dd4517c48ff8b21d657a and 4c69b294f927db62092e01b70ac9bd6e32d5b48b). It is recommended to monitor the vendor's security page at the address indicated in the references and immediately apply available patches.
Chamilo LMS in versions up to and including 1.11.20
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HChamilo
APPChamilo< 1.11.20
Related vulnerabilities
Chamilo LMS – ominięcie ochrony upload plików i RCE przez .htaccess
Path Traversal i RCE w Chamilo LMS — nieuwierzytelniony zapis pliku
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attac...
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or ...
Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated ...