cbcvebase.
CVE-2023-4220
published 2023-11-28

CVE-2023-4220: Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows…

PriorityP185medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
76.08%
99.5th percentile
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.

Affected

2 ranges
VendorProductVersion rangeFixed in
chamilochamilo<= 1.11.24
chamilochamilo_lms<= 1.11.24

Detection & IOCsextracted from sources · hover to see the quote

path/main/inc/lib/javascript/bigupload/inc/bigUpload.php
url/main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported
path/main/inc/lib/javascript/bigupload/files/
othershodan-query: "X-Powered-By: Chamilo"
sigma
POST /main/inc/lib/javascript/bigupload/inc/bigUpload.php?action=post-unsupported
  • Trigger condition: HTTP GET parameter `action=post-unsupported` sent to bigUpload.php bypasses file extension checks, allowing unauthenticated PHP webshell upload.
  • Uploaded webshells land in `/main/inc/lib/javascript/bigupload/files/`; monitor for new .php files appearing in this directory.
  • Detect exploitation by correlating a POST to bigUpload.php?action=post-unsupported followed by a GET to /main/inc/lib/javascript/bigupload/files/<filename>.php (or .txt probe) returning HTTP 200.
  • The exploit uses multipart/form-data with field name `bigUploadFile` to deliver the payload; alert on this field name in POST bodies to the vulnerable endpoint.
  • Post-exploitation: attacker reads `/var/www/chamilo/app/config/configuration.php` for database credentials; monitor file access to this path from web-server processes.
  • Exploit commands are base64-encoded and URL-encoded before being passed as a query parameter to the dropped webshell; look for base64-like strings in GET parameters to /bigupload/files/*.php.
  • ·The `/main/inc/lib/javascript/bigupload/files/` upload directory does not exist by default; exploitation requires it to be pre-created (e.g., by prior legitimate use of the bigupload feature).
  • ·The vulnerability is unauthenticated — no session or credentials are required to reach the upload endpoint.
  • ·EPSS score of 0.93236 (99.8th percentile) indicates very high real-world exploitation probability; treat any Chamilo instance <= 1.11.24 as actively targeted.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.