CVE-2023-4220
published 2023-11-28CVE-2023-4220: Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows…
PriorityP185medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
76.08%
99.5th percentile
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chamilo | chamilo | <= 1.11.24 | — |
| chamilo | chamilo_lms | <= 1.11.24 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
POST /main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported
- →Trigger condition: HTTP GET parameter `action=post-unsupported` sent to bigUpload.php bypasses file extension checks, allowing unauthenticated PHP webshell upload. ↗
- →Uploaded webshells land in `/main/inc/lib/javascript/bigupload/files/`; monitor for new .php files appearing in this directory. ↗
- →Detect exploitation by correlating a POST to bigUpload.php?action=post-unsupported followed by a GET to /main/inc/lib/javascript/bigupload/files/<filename>.php (or .txt probe) returning HTTP 200. ↗
- →The exploit uses multipart/form-data with field name `bigUploadFile` to deliver the payload; alert on this field name in POST bodies to the vulnerable endpoint. ↗
- →Post-exploitation: attacker reads `/var/www/chamilo/app/config/configuration.php` for database credentials; monitor file access to this path from web-server processes. ↗
- →Exploit commands are base64-encoded and URL-encoded before being passed as a query parameter to the dropped webshell; look for base64-like strings in GET parameters to /bigupload/files/*.php. ↗
- ·The `/main/inc/lib/javascript/bigupload/files/` upload directory does not exist by default; exploitation requires it to be pre-created (e.g., by prior legitimate use of the bigupload feature). ↗
- ·The vulnerability is unauthenticated — no session or credentials are required to reach the upload endpoint. ↗
- ·EPSS score of 0.93236 (99.8th percentile) indicates very high real-world exploitation probability; treat any Chamilo instance <= 1.11.24 as actively targeted. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9wc2-3gq5-2f4c: Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload
ghsa_unreviewed·2023-11-28
CVE-2023-4220 [HIGH] CWE-434 GHSA-9wc2-3gq5-2f4c: Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
VulnCheck
chamilo chamilo Unrestricted Upload of File with Dangerous Type
vulncheck·2023·CVSS 8.1
CVE-2023-4220 [HIGH] chamilo chamilo Unrestricted Upload of File with Dangerous Type
chamilo chamilo Unrestricted Upload of File with Dangerous Type
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
Affected: chamilo chamilo
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-12-05&host_type=src&vulnerability=cve-2023-4220; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-12-11&host_type=src&vulner
No detection rules found.
Exploit-DB
Chamilo LMS 1.11.24 - Remote Code Execution (RCE)
exploitdb·2025-03-18·CVSS 8.1
CVE-2023-4220 [HIGH] Chamilo LMS 1.11.24 - Remote Code Execution (RCE)
Chamilo LMS 1.11.24 - Remote Code Execution (RCE)
---
# Exploit Title: Chamilo LMS 1.11.24 - Remote Code Execution (RCE)
# Exploit Author: 0x00-null - Mohamed Kamel BOUZEKRIA
# Exploit Date: September 3, 2024
# Vendor Homepage: https://chamilo.org/
# Software Link: https://chamilo.org/
# Version: 1.11.24 (Beersel)
# Tested Versions: 1.11.24 (Beersel) - August 31, 2023
# CVE ID: CVE-2023-4220
# Vulnerability Type: Remote Code Execution
# Description: Unauthenticated remote code execution in Chamilo LMS ', 'application/x-php')}
# Upload the payload
response = requests.post(upload_url, files=files)
if response.status_code == 200:
print("[+] File uploaded successfully!")
print(f"[+] Access the shell at: {shell_url}?cmd=")
else:
print("[-] File upload failed.")
def execute_command(shell_ur
Metasploit
Chamilo v1.11.24 Unrestricted File Upload PHP Webshell
metasploit
Chamilo v1.11.24 Unrestricted File Upload PHP Webshell
Chamilo v1.11.24 Unrestricted File Upload PHP Webshell
Chamilo LMS is a free software e-learning and content management system. In versions prior to <= v1.11.24 a webshell can be uploaded via the bigload.php endpoint. If the GET request parameter `action` is set to `post-unsupported` file extension checks are skipped allowing for attacker controlled .php files to be uploaded to: `/main/inc/lib/javascript/bigupload/files/` if the `/files/` directory already exists - it does not exist by default.
Nuclei
Chamilo LMS <= 1.11.24 - Remote Code Execution
nuclei·CVSS 6.1
CVE-2023-4220 [MEDIUM] Chamilo LMS <= 1.11.24 - Remote Code Execution
Chamilo LMS <= 1.11.24 - Remote Code Execution
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
Template:
id: CVE-2023-4220
info:
name: Chamilo LMS <= 1.11.24 - Remote Code Execution
author: s4e-io
severity: medium
description: |
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
impact: |
Unauthenticated attackers can upload
CTF
easy / README
ctf_writeups·CVSS 6.0
[MEDIUM] easy / README
---
layout: default
title: Easy Machines
parent: Machines
nav_order: 1
description: "120+ Easy HTB machine writeups with walkthroughs"
permalink: /machines/easy/
---
# HackTheBox Easy Machines - Comprehensive Reference
> Complete catalog of retired HTB Easy machines with OS, key vulnerability, attack path summary, and quality writeup links.
**Total: 100+ Easy Machines** | Updated: April 2026
---
## Quick Navigation
- [Classic / Legacy Machines (2017-2019)](#classic--legacy-machines-2017-2019)
- [2019-2020 Machines](#2019-2020-machines)
- [2021 Machines](#2021-machines)
- [2022 Machines](#2022-machines)
- [2023 Machines](#2023-machines)
- [2024 Machines (Season 4 & 5)](#2024-machines-season-4--5)
- [2025-2026 Machines (Season 6+)](#2025-2026-machines-season-6)
---
## Classic / Legac
CTF
PermX / README
ctf_writeups·CVSS 8.1
CVE-2023-4220 [HIGH] PermX / README
# PermX - HackTheBox - Writeup
Linux, 20 Base Points, Easy
## Machine
## TL;DR
To solve this machine, we start by using `nmap` to enumerate open services and find ports `22`, and `80`.
**User:** Found a virtual host `lms.permx.htb` running `Chamilo`. Uploaded a web shell using `CVE-2023-4220`. Discovered the password for user `mtz` in `/var/www/chamilo/app/config/configuration.php`.
**Root:** Ran `sudo -l` and found that we can execute `/opt/acl.sh`, which runs `/bin/setfacl` as `root`. Created a symlink to the `sudoers` file and added `mtz` to the sudoers to gain a `root` shell.
## PermX Solution
### User
Let's begin by using `nmap` to scan the target machine:
```console
┌─[evyatar9@parrot]─[/hackthebox/PermX]
└──╼ $ nmap -sV -sC -oA nmap/PermX 10.10.11.23
Starting Nmap 7.93
https://github.com/chamilo/chamilo-lms/commit/3b487a55076fb06f96809b790a35dcdd42f8ec49https://starlabs.sg/advisories/23/23-4220https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-130-2023-09-04-Critical-impact-High-risk-Unauthenticated-users-may-gain-XSS-and-unauthenticated-RCE-CVE-2023-4220https://github.com/chamilo/chamilo-lms/commit/3b487a55076fb06f96809b790a35dcdd42f8ec49https://starlabs.sg/advisories/23/23-4220https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-130-2023-09-04-Critical-impact-High-risk-Unauthenticated-users-may-gain-XSS-and-unauthenticated-RCE-CVE-2023-4220
2023-11-28
Published
Exploited in the wild