CVE-2019-13082 - OpenCVE

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php file in a folder and then this folder in a ZIP archive, the server will accept this file without any checks. Because one can access this file from the website, it is remote code execution. This is related to a scorm imsmanifest.xml file, the import_package function, and extraction in $courseSysDir.$newDir.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Chamilo	Chamilo Lms

Configuration 1 [-]

cpe:2.3:a:chamilo:chamilo_lms:1.11.8:-:*:*:*:*:*:*

No data.

References

Link	Providers
https://0xecute.com/?p=32
https://support.chamilo.org/projects/1/wiki/Security_issues

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-06-30T15:07:27

Updated: 2024-08-04T23:41:10.242Z

Reserved: 2019-06-30T00:00:00

Link: CVE-2019-13082

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-06-30T16:15:09.747

Modified: 2019-07-03T18:01:27.307

Link: CVE-2019-13082

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php file in a folder and then this folder in a ZIP archive, the server will accept this file without any checks. Because one can access this file from the website, it is remote code execution. This is related to a scorm imsmanifest.xml file, the import_package function, and extraction in $courseSysDir.$newDir."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-30T15:07:27", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://0xecute.com/?p=32"}, {"tags": ["x_refsource_MISC"], "url": "https://support.chamilo.org/projects/1/wiki/Security_issues"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-13082", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php file in a folder and then this folder in a ZIP archive, the server will accept this file without any checks. Because one can access this file from the website, it is remote code execution. This is related to a scorm imsmanifest.xml file, the import_package function, and extraction in $courseSysDir.$newDir."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://0xecute.com/?p=32", "refsource": "MISC", "url": "https://0xecute.com/?p=32"}, {"name": "https://support.chamilo.org/projects/1/wiki/Security_issues", "refsource": "MISC", "url": "https://support.chamilo.org/projects/1/wiki/Security_issues"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:41:10.242Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://0xecute.com/?p=32"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.chamilo.org/projects/1/wiki/Security_issues"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-13082", "datePublished": "2019-06-30T15:07:27", "dateReserved": "2019-06-30T00:00:00", "dateUpdated": "2024-08-04T23:41:10.242Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:1.11.8:-:*:*:*:*:*:*", "matchCriteriaId": "BEA4A83D-D923-4A0C-B134-5C24EC68FD00", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. It extracts a ZIP archive before checking its content, and once it has been extracted, does not check files in a recursive way. This means that by putting a .php file in a folder and then this folder in a ZIP archive, the server will accept this file without any checks. Because one can access this file from the website, it is remote code execution. This is related to a scorm imsmanifest.xml file, the import_package function, and extraction in $courseSysDir.$newDir."}, {"lang": "es", "value": "Chamilo LMS versiones 1.11.8 y 2.x, permite la ejecuci\u00f3n de c\u00f3digo remota por medio de una funci\u00f3n de carga de archivos sin autenticar lp_upload.php. Extrae un archivo ZIP antes de comprobar su contenido, y una vez que haya sido extra\u00eddo, no comprueba los archivos de manera recursiva. Esto significa que mediante la colocaci\u00f3n de un archivo .php en una carpeta y luego esta carpeta en un archivo ZIP, el servidor aceptar\u00e1 este archivo sin ninguna comprobaci\u00f3n. Debido a que se puede acceder a este archivo desde el sitio web, es una ejecuci\u00f3n de c\u00f3digo remota. Esto est\u00e1 relacionado con un archivo scorm imsmanifest.xml, la funci\u00f3n import_package y la extracci\u00f3n en $courseSysDir.$newDir."}], "id": "CVE-2019-13082", "lastModified": "2019-07-03T18:01:27.307", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-06-30T16:15:09.747", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Technical Description", "Third Party Advisory"], "url": "https://0xecute.com/?p=32"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://support.chamilo.org/projects/1/wiki/Security_issues"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}