Chamilo LMS File Upload Functionality Remote Code Execution
CVE-2023-4225

8.8HIGH

Key Information:

Vendor

Chamilo

Status
Vendor
CVE Published:
28 November 2023

What is CVE-2023-4225?

The Chamilo LMS has a vulnerability in the '/main/inc/ajax/exercise.ajax.php' script that allows authenticated users, specifically those with learner roles, to upload malicious PHP files. This unrestricted file upload leads to potential remote code execution on the server, posing significant security risks. Users are encouraged to review the latest patches and updates to ensure their systems are protected.

Affected Version(s)

Chamilo 0 <= 1.11.24

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)
.