CVE-2023-34960

A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands...

Basic Information

CVE State: PUBLISHED
Reserved Date: June 07, 2023
Published Date: August 01, 2023
Last Updated: October 23, 2024
Vendor: Chamilo
Product: Chamilo
Description: A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name.
Tags

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

Score: 93.99% (Percentile: 99.87%) as of 2025-06-20

SSVC Information

Exploitation: none
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-05-24 00:00:00 UTC) Source

References

http://chamilo.com https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-112-2023-04-20-Critical-impact-High-risk-Remote-Code-Execution http://packetstormsecurity.com/files/174314/Chamilo-1.11.18-Command-Injection.html

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2025-05-25 12:00:17 UTC

Scanner Integrations

Scanner	URL	Date Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/chamilo_unauth_rce_cve_2023_34960.rb	2025-04-29 11:01:12 UTC
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-34960.yaml	2025-04-26 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

chamilo_unauth_rce_cve_2023_34960

Type: metasploit • Created: Unknown

Metasploit module for CVE-2023-34960

tucommenceapousser/CVE-2023-34960-ex

Type: github • Created: 2023-08-01 08:09:51 UTC • Stars: 0

Perform with Massive Command Injection (Chamilo)

Mantodkaz/CVE-2023-34960

Type: github • Created: 2023-07-24 20:51:15 UTC • Stars: 4

ThatNotEasy/CVE-2023-34960

Type: github • Created: 2023-07-22 05:27:45 UTC • Stars: 21

Perform with Massive Command Injection (Chamilo)

YongYe-Security/CVE-2023-34960

Type: github • Created: 2023-07-09 11:24:33 UTC • Stars: 0

Chamilo CVE-2023-34960 Batch scan/exploit

Jenderal92/CHAMILO-CVE-2023-34960

Type: github • Created: 2023-07-03 11:17:42 UTC • Stars: 2

Wordpress CVE-2023-34960

Aituglo/CVE-2023-34960

Type: github • Created: 2023-06-09 10:32:22 UTC • Stars: 35

CVE-2023-34960 Chamilo PoC

Timeline

CVE ID Reserved

June 07, 2023
CVE Published to Public

August 01, 2023
Detected by Nuclei

April 26, 2025
Detected by Metasploit

April 29, 2025
Added to KEVIntel

May 25, 2025