CRITICAL🇵🇱 Wersja polska

CVE-2023-3533

CVSS 9.8v3.1pub. 2023-11-28upd. 2024-11-21

Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write.

🤖 AI Analysis
How it works

The file `/main/webservices/additional_webservices.php` does not require authentication and does not properly filter paths passed during file uploads. An attacker can construct a request containing path traversal sequences (e.g., `../`), allowing file writing to any location accessible to the web server process. By placing an executable file (e.g., webshell) outside the intended directory this way, the attacker gains the ability to invoke it through a browser and thus achieve remote code execution on the server.

Impact

An unauthenticated attacker can gain full control over the server through RCE, as well as conduct stored XSS attacks on application users by uploading malicious files to accessible web locations.

Mitigation & patch

Update Chamilo LMS to a version containing the patch available in commit 37be9ce7243a30259047dd4517c48ff8b21d657a. Patch details are available in vendor references (support.chamilo.org and GitHub). As an interim measure, consider restricting access to the file `/main/webservices/additional_webservices.php` at the web server configuration level or through a web application firewall.

Who is affected

Chamilo LMS version 1.11.20 and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Chamilo

    APP
    Chamilo
    ≤ 1.11.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEXSSPath TraversalAuth Bypass
CWE
References

Related vulnerabilities

CVE-2023-3368CRITICAL9.8PL ✓ten sam produkt

Command injection w Chamilo LMS umożliwiający RCE bez uwierzytelnienia

CVE-2023-3545CRITICAL9.8PL ✓ten sam produkt

Chamilo LMS – ominięcie ochrony upload plików i RCE przez .htaccess

CVE-2023-34960CRITICAL9.8ten sam produkt

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attac...

CVE-2021-34187CRITICAL9.8ten sam produkt

main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or ...

CVE-2022-42029HIGH8.8ten sam produkt

Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated ...