CVE-2023-34960
published 2023-08-01CVE-2023-34960: A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
99.40%
99.9th percentile
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chamilo | chamilo | < 1.11.20 | 1.11.20 |
| chamilo | chamilo | <= 1.11.20 | — |
| chamilo | chamilo | 1.11.0 – 1.11.18 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandfile_datafile_name`{}`.pptx'|" |cat /etc/passwd||a #service_ppt2lp_size720x540
path/chamilo/main/webservices/additional_webservices.php
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Chamilo CMS wsConvertPpt Command Injection Attempt (CVE-2023-34960)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/chamilo/main/webservices/additional_webservices.php"; fast_pattern; http.request_body; content:"|3c|value xsi|3a|type|3d 22|xsd|3a|string|22 3e 60|"; content:"|60 2e|ppt"; distance:0; reference:cve,2023-34960; reference:url,attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960; classtype:attempted-admin; sid:2047056; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_08_03, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_08_03, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services; target:dest_ip;)
bytes
|3c|value xsi|3a|type|3d 22|xsd|3a|string|22 3e 60|
- →Target HTTP POST requests to /main/webservices/additional_webservices.php (or /chamilo/main/webservices/additional_webservices.php); look for a SOAP XML body containing a backtick-delimited command injection payload within a string-typed value element, followed by a .ppt or .pptx extension.
- →The exploit is unauthenticated — no session cookie or credentials are required. Any POST to the wsConvertPpt SOAP endpoint with a crafted filename should be treated as suspicious regardless of authentication state. ↗
- →The injection is carried inside the PowerPoint filename field of the SOAP request; the payload uses backtick command substitution (`) embedded in the filename before the .pptx extension to achieve OS command execution. ↗
- →Use Shodan queries http.component:"Chamilo" or cpe:"cpe:2.3:a:chamilo:chamilo" to identify exposed Chamilo instances for proactive scanning.
- →Validate response for Content-Type: text/xml header and HTTP 200 status alongside a regex match for root:.*:0:0: in the body to confirm successful /etc/passwd exfiltration via the injection.
- ·The Snort/ET rule uses the URI path /chamilo/main/webservices/additional_webservices.php (with /chamilo/ prefix), while the Nuclei template and Metasploit module reference /main/webservices/additional_webservices.php (without prefix). Deployments where Chamilo is installed at the web root will not match the ET rule's URI pattern; tune accordingly.
- ·Affected versions are Chamilo v1.11.* up to and including v1.11.18 only; detections should be scoped to these versions to reduce false positives on patched deployments. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x9xc-jg9p-2j7f: Command injection in `/main/webservices/additional_webservices
ghsa_unreviewed·2023-11-28·CVSS 9.8
CVE-2023-3368 [CRITICAL] CWE-78 GHSA-x9xc-jg9p-2j7f: Command injection in `/main/webservices/additional_webservices
Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.
GHSA
GHSA-p97h-9fxf-wpq6: A command injection vulnerability in the wsConvertPpt component of Chamilo v1
ghsa_unreviewed·2023-08-01
CVE-2023-34960 [CRITICAL] CWE-77 GHSA-p97h-9fxf-wpq6: A command injection vulnerability in the wsConvertPpt component of Chamilo v1
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
VulnCheck
chamilo chamilo Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-34960 [CRITICAL] chamilo chamilo Improper Neutralization of Special Elements used in a Command ('Command Injection')
chamilo chamilo Improper Neutralization of Special Elements used in a Command ('Command Injection')
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
Affected: chamilo chamilo
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://github.com/chamilo/chamilo-lms/issues/4813; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-25&host_type=src&vulnerability=cve-2023-34960; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-01&host_type=src&vuln
VulnCheck
chamilo chamilo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-3368 [CRITICAL] chamilo chamilo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
chamilo chamilo Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Command injection in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to obtain remote code execution via improper neutralisation of special characters. This is a bypass of CVE-2023-34960.
Affected: chamilo chamilo
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://media.defense.gov/2024/Sep/18/2003547016/-1/-1/0/CSA-PRC-LINKED-ACTORS-BOTNET.PDF; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2023-3368&date=2025-10-31; https://api.vulncheck.com/v3/index/vulncheck-canaries?c
Suricata
ET WEB_SPECIFIC_APPS Chamilo CMS wsConvertPpt Command Injection Attempt (CVE-2023-34960)
suricata·2023-08-03·CVSS 9.8
CVE-2023-34960 [CRITICAL] ET WEB_SPECIFIC_APPS Chamilo CMS wsConvertPpt Command Injection Attempt (CVE-2023-34960)
ET WEB_SPECIFIC_APPS Chamilo CMS wsConvertPpt Command Injection Attempt (CVE-2023-34960)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Chamilo CMS wsConvertPpt Command Injection Attempt (CVE-2023-34960)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/chamilo/main/webservices/additional_webservices.php"; fast_pattern; http.request_body; content:"|3c|value xsi|3a|type|3d 22|xsd|3a|string|22 3e 60|"; content:"|60 2e|ppt"; distance:0; reference:cve,2023-34960; reference:url,attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960; classtype:attempted-admin; sid:2047056; rev:1; metadata:affected_product Web_Server_Applications, attack_target Web_Server, created_at 2023_08_03, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performa
Nuclei
Chamilo Command Injection
nuclei·CVSS 9.8
CVE-2023-34960 [CRITICAL] Chamilo Command Injection
Chamilo Command Injection
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
Template:
id: CVE-2023-34960
info:
name: Chamilo Command Injection
author: DhiyaneshDK
severity: critical
description: |
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, and potential compromise of the entire system.
remediation: |
Apply the latest security patches or updates provided by the vendor to fix the command inj
Metasploit
Chamilo unauthenticated command injection in PowerPoint upload
metasploit·CVSS 9.8
CVE-2023-34960 [CRITICAL] Chamilo unauthenticated command injection in PowerPoint upload
Chamilo unauthenticated command injection in PowerPoint upload
Chamilo is an e-learning platform, also called Learning Management Systems (LMS). This module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions `1.11.18` and below (CVE-2023-34960). Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.
http://chamilo.comhttp://packetstormsecurity.com/files/174314/Chamilo-1.11.18-Command-Injection.htmlhttps://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Executionhttp://chamilo.comhttp://packetstormsecurity.com/files/174314/Chamilo-1.11.18-Command-Injection.htmlhttps://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Execution
2023-08-01
Published
Exploited in the wild