A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
View the template here CVE-2023-34960.yaml
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-34960