CVE-2023-3368

Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.
Configurations

Configuration 1 (hide)

cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:*

History

04 Dec 2023, 18:57

Type Values Removed Values Added
CPE cpe:2.3:a:chamilo:chamilo:*:*:*:*:*:*:*:*
References () https://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48b - () https://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48b - Patch
References () https://starlabs.sg/advisories/23/23-3368/ - () https://starlabs.sg/advisories/23/23-3368/ - Exploit, Third Party Advisory
References () https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657a - () https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657a - Patch
References () https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368 - () https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368 - Issue Tracking, Vendor Advisory
CWE CWE-78
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8

28 Nov 2023, 07:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-11-28 07:15

Updated : 2024-02-05 00:22


NVD link : CVE-2023-3368

Mitre link : CVE-2023-3368

CVE.ORG link : CVE-2023-3368


JSON object : View

Products Affected

chamilo

  • chamilo
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')