CVE-2023-4226 - Vulnerability Details - OpenCVE

Description

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

Published: 2023-11-28

Score: 8.8 High

EPSS: 24.0% Moderate

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Chamilo

Chamilo

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.11.24

Configuration 1 [-]

cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.23953.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/chamilo/chamilo-lms/commit/6f32625a012d5de2dfe8edbccb4ed14a85e310d4
https://github.com/chamilo/chamilo-lms/commit/e864127a440c2cab0eb62c113a04e2e904543a1f
https://github.com/chamilo/chamilo-lms/commit/f3d62b65ad60d68096c2674d5695339f04de0b8a
https://starlabs.sg/advisories/23/23-4226
https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-129-2023-09-04-Critical-impact-Moderate-risk-Authenticated-users-may-gain-unauthenticated-RCE-CVE-2023-4223CVE-2023-4224CVE-2023-4225CVE-2023-4226

History

No history.

Subscriptions

Chamilo Chamilo Lms

MITRE

Status: PUBLISHED

Assigner: STAR_Labs

Published: 2023-11-28T07:21:40.906Z

Updated: 2024-08-02T07:17:12.285Z

Reserved: 2023-08-08T06:52:42.177Z

Link: CVE-2023-4226

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-11-28T08:15:10.430

Modified: 2024-11-21T08:34:39.870

Link: CVE-2023-4226

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-434

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4226", "assignerOrgId": "b1571b85-cbc9-431f-830b-0c8155323a69", "state": "PUBLISHED", "assignerShortName": "STAR_Labs", "dateReserved": "2023-08-08T06:52:42.177Z", "datePublished": "2023-11-28T07:21:40.906Z", "dateUpdated": "2024-08-02T07:17:12.285Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Chamilo", "vendor": "Chamilo", "versions": [{"lessThanOrEqual": "1.11.24", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Ngo Wei Lin (@Creastery) of STAR Labs SG Pte. Ltd. (@starlabs_sg)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files."}], "value": "Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files."}], "impacts": [{"capecId": "CAPEC-650", "descriptions": [{"lang": "en", "value": "CAPEC-650 Upload a Web Shell to a Web Server"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "b1571b85-cbc9-431f-830b-0c8155323a69", "shortName": "STAR_Labs", "dateUpdated": "2023-11-28T07:21:40.906Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-129-2023-09-04-Critical-impact-Moderate-risk-Authenticated-users-may-gain-unauthenticated-RCE-CVE-2023-4223CVE-2023-4224CVE-2023-4225CVE-2023-4226"}, {"tags": ["third-party-advisory"], "url": "https://starlabs.sg/advisories/23/23-4226"}, {"tags": ["patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/6f32625a012d5de2dfe8edbccb4ed14a85e310d4"}, {"tags": ["patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/f3d62b65ad60d68096c2674d5695339f04de0b8a"}, {"tags": ["patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/e864127a440c2cab0eb62c113a04e2e904543a1f"}], "source": {"discovery": "UNKNOWN"}, "title": "Chamilo LMS File Upload Functionality Remote Code Execution", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:12.285Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-129-2023-09-04-Critical-impact-Moderate-risk-Authenticated-users-may-gain-unauthenticated-RCE-CVE-2023-4223CVE-2023-4224CVE-2023-4225CVE-2023-4226"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://starlabs.sg/advisories/23/23-4226"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/chamilo/chamilo-lms/commit/6f32625a012d5de2dfe8edbccb4ed14a85e310d4"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/chamilo/chamilo-lms/commit/f3d62b65ad60d68096c2674d5695339f04de0b8a"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/chamilo/chamilo-lms/commit/e864127a440c2cab0eb62c113a04e2e904543a1f"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "matchCriteriaId": "3CA5310C-E5B0-4369-BC5A-F56EBED72EBA", "versionEndIncluding": "1.11.24", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files."}, {"lang": "es", "value": "La carga de archivos sin restricciones en `/main/inc/ajax/work.ajax.php` en Chamilo LMS en versiones <= 1.11.24 permite a atacantes autenticados con rol de aprendizaje obtener la ejecuci\u00f3n remota de c\u00f3digo mediante la carga de archivos PHP."}], "id": "CVE-2023-4226", "lastModified": "2024-11-21T08:34:39.870", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "info@starlabs.sg", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-28T08:15:10.430", "references": [{"source": "info@starlabs.sg", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/6f32625a012d5de2dfe8edbccb4ed14a85e310d4"}, {"source": "info@starlabs.sg", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/e864127a440c2cab0eb62c113a04e2e904543a1f"}, {"source": "info@starlabs.sg", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/f3d62b65ad60d68096c2674d5695339f04de0b8a"}, {"source": "info@starlabs.sg", "tags": ["Exploit", "Third Party Advisory"], "url": "https://starlabs.sg/advisories/23/23-4226"}, {"source": "info@starlabs.sg", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-129-2023-09-04-Critical-impact-Moderate-risk-Authenticated-users-may-gain-unauthenticated-RCE-CVE-2023-4223CVE-2023-4224CVE-2023-4225CVE-2023-4226"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/6f32625a012d5de2dfe8edbccb4ed14a85e310d4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/e864127a440c2cab0eb62c113a04e2e904543a1f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/chamilo/chamilo-lms/commit/f3d62b65ad60d68096c2674d5695339f04de0b8a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://starlabs.sg/advisories/23/23-4226"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-129-2023-09-04-Critical-impact-Moderate-risk-Authenticated-users-may-gain-unauthenticated-RCE-CVE-2023-4223CVE-2023-4224CVE-2023-4225CVE-2023-4226"}], "sourceIdentifier": "info@starlabs.sg", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "info@starlabs.sg", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-434"}], "source": "nvd@nist.gov", "type": "Primary"}]}