cbcvebase.
CVE-2023-34960
published 2023-08-01

CVE-2023-34960: A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.40%
99.9th percentile
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.

Affected

3 ranges
VendorProductVersion rangeFixed in
chamilochamilo< 1.11.201.11.20
chamilochamilo<= 1.11.20
chamilochamilo1.11.0 – 1.11.18

Detection & IOCsextracted from sources · hover to see the quote

url/main/webservices/additional_webservices.php
commandfile_datafile_name`{}`.pptx'|" |cat /etc/passwd||a #service_ppt2lp_size720x540
path/chamilo/main/webservices/additional_webservices.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Chamilo CMS wsConvertPpt Command Injection Attempt (CVE-2023-34960)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/chamilo/main/webservices/additional_webservices.php"; fast_pattern; http.request_body; content:"|3c|value xsi|3a|type|3d 22|xsd|3a|string|22 3e 60|"; content:"|60 2e|ppt"; distance:0; reference:cve,2023-34960; reference:url,attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960; classtype:attempted-admin; sid:2047056; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_08_03, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_08_03, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
bytes
|3c|value xsi|3a|type|3d 22|xsd|3a|string|22 3e 60|
  • Target HTTP POST requests to /main/webservices/additional_webservices.php (or /chamilo/main/webservices/additional_webservices.php); look for a SOAP XML body containing a backtick-delimited command injection payload within a string-typed value element, followed by a .ppt or .pptx extension.
  • The exploit is unauthenticated — no session cookie or credentials are required. Any POST to the wsConvertPpt SOAP endpoint with a crafted filename should be treated as suspicious regardless of authentication state.
  • The injection is carried inside the PowerPoint filename field of the SOAP request; the payload uses backtick command substitution (`) embedded in the filename before the .pptx extension to achieve OS command execution.
  • Use Shodan queries http.component:"Chamilo" or cpe:"cpe:2.3:a:chamilo:chamilo" to identify exposed Chamilo instances for proactive scanning.
  • Validate response for Content-Type: text/xml header and HTTP 200 status alongside a regex match for root:.*:0:0: in the body to confirm successful /etc/passwd exfiltration via the injection.
  • ·The Snort/ET rule uses the URI path /chamilo/main/webservices/additional_webservices.php (with /chamilo/ prefix), while the Nuclei template and Metasploit module reference /main/webservices/additional_webservices.php (without prefix). Deployments where Chamilo is installed at the web root will not match the ET rule's URI pattern; tune accordingly.
  • ·Affected versions are Chamilo v1.11.* up to and including v1.11.18 only; detections should be scoped to these versions to reduce false positives on patched deployments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.