CVE-2023-3368

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 1.11.20

Description The issue concerns command injection in the /main/webservices/additional webservices.php endpoint, allowing unauthenticated attackers to achieve remote code execution due to improper neutralization of special characters. This is a bypass of a previously known issue.

Recommendations For versions prior to 1.11.20, as a temporary workaround, consider restricting access to the /main/webservices/additional webservices.php endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.