CVE-2023-34960 – A critical command injection vulnerability in C... (How to Fix)

Q: What is the severity of CVE-2023-34960?

CVE-2023-34960 has a CVSS score of 9.8 (CRITICAL). A critical command injection vulnerability in Chamilo's wsConvertPpt component allows remote attackers to execute arbitrary commands on the server via crafted PowerPoint filenames in SOAP API calls. This affects Chamilo v1.11.* up to v1.11.18 installations, potentially giving attackers complete control over affected systems.

📋 TL;DR

A critical command injection vulnerability in Chamilo's wsConvertPpt component allows remote attackers to execute arbitrary commands on the server via crafted PowerPoint filenames in SOAP API calls. This affects Chamilo v1.11.* up to v1.11.18 installations, potentially giving attackers complete control over affected systems.

💻 Affected Systems

Products:

Chamilo

Versions: v1.11.* up to v1.11.18

Operating Systems: All operating systems running Chamilo

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the vulnerable wsConvertPpt component enabled are affected. The SOAP API must be accessible.

📦 What is this software?

Chamilo by Chamilo

View all CVEs affecting Chamilo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/administrator privileges, data exfiltration, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Remote code execution leading to web shell installation, credential theft, lateral movement within the network, and data breach.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and input validation are in place, though exploitation could still occur.

🌐 Internet-Facing: HIGH - Exploitable via SOAP API calls without authentication, making internet-facing instances immediately vulnerable to attack.

🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require network access; risk increases if internal users can access the SOAP API.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on Packet Storm Security, making exploitation trivial for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.11.19 and later

Vendor Advisory: https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Execution

Restart Required: No

Instructions:

1. Backup your Chamilo installation and database. 2. Download Chamilo v1.11.19 or later from the official website. 3. Replace the vulnerable files with the patched version. 4. Verify the installation works correctly.

🔧 Temporary Workarounds

Disable SOAP API

all

Temporarily disable the SOAP API to prevent exploitation while patching.

Edit Chamilo configuration to disable SOAP API endpoints or block access via web server configuration.

Input Validation Filter

all

Implement strict input validation for PowerPoint filenames in the wsConvertPpt component.

Add filename validation regex to reject special characters and command injection patterns.

🧯 If You Can't Patch

Implement strict network access controls to limit SOAP API access to trusted IP addresses only.
Deploy a web application firewall (WAF) with command injection rules to block exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check if Chamilo version is between v1.11.0 and v1.11.18 inclusive, and verify the wsConvertPpt component is present and accessible.

Check Version:

Check the Chamilo admin panel or examine the main/inc/conf/configuration.php file for version information.

Verify Fix Applied:

Confirm Chamilo version is v1.11.19 or later, and test that command injection attempts via PowerPoint filenames are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SOAP API requests with PowerPoint filenames containing shell metacharacters like ;, |, &, or $( )
Unexpected process executions from the web server user account
Failed command injection attempts in web server logs

Network Indicators:

SOAP API requests to wsConvertPpt endpoint with suspicious payloads
Outbound connections from the web server to unknown external IPs

SIEM Query:

source="web_server_logs" AND (uri="*wsConvertPpt*" AND (filename="*;*" OR filename="*|*" OR filename="*&*" OR filename="*$(*"))

📊 Metadata

CVE ID: CVE-2023-34960

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: August 1, 2023

Last Updated: November 21, 2024

🔗 References

http://chamilo.com Product
http://packetstormsecurity.com/files/174314/Chamilo-1.11.18-Command-Injection.html
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Execution Issue Tracking,Vendor Advisory
http://chamilo.com Product
http://packetstormsecurity.com/files/174314/Chamilo-1.11.18-Command-Injection.html
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Execution Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-34960, you might also want to check these: