Vulnerability Details : CVE-2023-4221
Command injection in `main/lp/openoffice_presentation.class.php` in Chamilo LMS <= v1.11.24 allows users permitted to upload Learning Paths to obtain remote code execution via improper neutralisation of special characters.
Vulnerability category: Execute code
Products affected by CVE-2023-4221
- cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-4221
0.82%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-4221
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
STAR Labs SG Pte. Ltd. | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2023-4221
-
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.Assigned by:
- info@starlabs.sg (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2023-4221
-
https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-128-2023-09-04-Critical-impact-Moderate-risk-Authenticated-users-may-gain-unauthenticated-RCE-CVE-2023-4221CVE-2023-4222
Security issues - Chamilo LMS - Chamilo Tracking SystemIssue Tracking;Vendor Advisory
-
https://github.com/chamilo/chamilo-lms/commit/ed72914608d2a07ee2eb587c1a654480d08201db
LP: Security: sanitize params when executing converter · chamilo/chamilo-lms@ed72914 · GitHubPatch
-
https://starlabs.sg/advisories/23/23-4221
(CVE-2023-4221) Chamilo LMS Learning Path PPT2LP OpenofficePresentation Command Injection | STAR LabsExploit;Third Party Advisory
-
https://github.com/chamilo/chamilo-lms/commit/841a07396fed0ef27c5db13a1b700eac02754fc7
Security: Avoid wrapping commands in double quotes as escapeshellarg(… · chamilo/chamilo-lms@841a073 · GitHubPatch
Jump to