CRITICAL🇵🇱 Wersja polska

CVE-2023-3545

CVSS 9.8v3.1pub. 2023-11-28upd. 2024-11-21

Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution.

🤖 AI Analysis
How it works

The vulnerability results from improper sanitization of file names in the `main/inc/lib/fileUpload.lib.php` module. An attacker can upload a file named `.htaccess`, which the filtering mechanism does not properly reject on Windows platform with Apache server. The placed `.htaccess` file allows modifying the server configuration in a given directory, which enables execution of malicious code on the server side. The vulnerability can also be used as part of an attack chain in combination with CVE-2023-3533 (unauthorized arbitrary file write) to obtain full RCE.

Impact

An attacker can obtain remote code execution (RCE) on the server, leading to full takeover of the application and potentially the entire system, including violation of confidentiality, integrity and availability of data.

Mitigation & patch

Chamilo LMS should be updated to a version containing the fix available in commit dc7bfce429fbd843a95a57c184b6992c4d709549. Detailed information about the patch is available in the vendor's references and in the project's GitHub repository.

Who is affected

Chamilo LMS in versions up to and including 1.11.20, running on Windows environments with Apache server

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Chamilo

    APP
    Chamilo
    ≤ 1.11.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEAuth Bypass
CWE
References

Related vulnerabilities

CVE-2023-3368CRITICAL9.8PL ✓ten sam produkt

Command injection w Chamilo LMS umożliwiający RCE bez uwierzytelnienia

CVE-2023-3533CRITICAL9.8PL ✓ten sam produkt

Path Traversal i RCE w Chamilo LMS — nieuwierzytelniony zapis pliku

CVE-2023-34960CRITICAL9.8ten sam produkt

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attac...

CVE-2021-34187CRITICAL9.8ten sam produkt

main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or ...

CVE-2022-42029HIGH8.8ten sam produkt

Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated ...