.. / CVE-2023-34960

Exploit for Chamilo Command Injection (CVE-2023-34960)

Description:

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.

Nuclei Template

View the template here CVE-2023-34960.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-34960.yaml
Copy

References:

https://nvd.nist.gov/vuln/detail/CVE-2023-34960
https://github.com/Aituglo/CVE-2023-34960/blob/master/poc.py
https://sploitus.com/exploit?id=FD666992-20E1-5D83-BA13-67ED38E1B83D
http://chamilo.com
https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Execution
http://packetstormsecurity.com/files/174314/Chamilo-1.11.18-Command-Injection.html