Ngo Wei Lin

**Name of the Vulnerable Software and Affected Versions** Microsoft SharePoint Server (affected versions not specified) **Description** A flaw exists in Microsoft SharePoint Server that enables remote attackers to execute arbitrary code and compromise the system. The issue stems from insufficient input validation. Exploitation of this flaw could allow an attacker to execute code remotely by using specially crafted data. This is a post-authentication remote code execution issue. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue concerns improper neutralisation of special characters, allowing command injection in the `main/lp/openoffice presentation.class.php` file. This enables users who are permitted to upload Learning Paths to obtain remote code execution. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue to prevent remote code execution. As a temporary workaround, consider restricting access to the `main/lp/openoffice presentation.class.php` file or disabling the upload of Learning Paths until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue concerns an unrestricted file upload in the `/main/inc/ajax/document.ajax.php` endpoint, allowing authenticated attackers with a learner role to achieve remote code execution by uploading PHP files. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue to prevent remote code execution via unrestricted file uploads.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue concerns an unrestricted file upload in the `/main/inc/ajax/dropbox.ajax.php` endpoint, allowing authenticated attackers with a learner role to achieve remote code execution by uploading PHP files. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue to prevent remote code execution. As a temporary workaround, consider restricting access to the `/main/inc/ajax/dropbox.ajax.php` endpoint to prevent file uploads.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue concerns an unrestricted file upload in the `/main/inc/ajax/exercise.ajax.php` endpoint, allowing authenticated attackers with a learner role to achieve remote code execution by uploading PHP files. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue to prevent remote code execution via unrestricted file uploads.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue allows authenticated attackers with a learner role to achieve remote code execution. This is possible due to an unrestricted file upload in the `/main/inc/ajax/work.ajax.php` endpoint, which enables the uploading of PHP files. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the `/main/inc/ajax/work.ajax.php` endpoint to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.20 **Description** The issue concerns command injection in the `/main/webservices/additional webservices.php` endpoint, allowing unauthenticated attackers to achieve remote code execution due to improper neutralization of special characters. This is a bypass of a previously known issue. **Recommendations** For versions prior to 1.11.20, as a temporary workaround, consider restricting access to the `/main/webservices/additional webservices.php` endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.20 **Description** The issue concerns a path traversal vulnerability in the file upload functionality, specifically in the `/main/webservices/additional webservices.php` endpoint. This allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write. **Recommendations** For versions prior to 1.11.20, update to a version that contains a fix for this issue to prevent path traversal and subsequent remote code execution. As a temporary workaround, consider restricting access to the `/main/webservices/additional webservices.php` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.20 **Description** The issue is related to improper sanitisation in the `main/inc/lib/fileUpload.lib.php` file, which allows unauthenticated attackers to bypass file upload security protections. This can lead to remote code execution via the uploading of a `.htaccess` file. The vulnerability may be exploited by privileged attackers or chained with other vulnerabilities to achieve remote code execution. **Recommendations** For versions prior to 1.11.20, update to a version that contains a fix for this issue to prevent remote code execution. As a temporary workaround, consider restricting access to the `fileUpload.lib.php` file or disabling the file upload functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell, specifically through the big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php`. This has been exploited in real-world incidents, such as the PermX machine on HackTheBox, where attackers used subdomain enumeration to discover a vulnerable Chamilo LMS instance, and then abused a bash script with sudo privileges to gain root access. **Recommendations** For versions prior to 1.11.24, update to version 1.11.24 or later to resolve the issue. As a temporary workaround, consider disabling the big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` until a patch is available. Restrict access to the `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` file to minimize the risk of exploitation. Avoid using the big file upload functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 1.11.24 **Description** The issue concerns a command injection in the `main/lp/openoffice text document.class.php` file, allowing users who can upload Learning Paths to achieve remote code execution. This is due to the improper neutralization of special characters. **Recommendations** For versions prior to 1.11.24, update to a version that contains a fix for this issue to prevent command injection and potential remote code execution. As a temporary workaround, consider restricting the upload of Learning Paths to trusted users or disabling the vulnerable `openoffice text document.class.php` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NodeBB versions <= 2.8.10 **Description** The issue allows unauthenticated attackers to trigger a crash in NodeBB when invoking `eventName.startsWith()` or `eventName.toString()`, while processing Socket.IO messages via crafted Socket.IO messages containing array or object type for the event name respectively. **Recommendations** For NodeBB versions <= 2.8.10, update to a version greater than 2.8.10 to resolve the issue. As a temporary workaround, consider restricting the use of Socket.IO messages to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Triangle MicroWorks SCADA Data Gateway (affected versions not specified) **Description** This issue allows remote attackers to create arbitrary files on affected installations. User interaction is required, where the target must visit a malicious page or open a malicious file. The flaw exists within the processing of workspace files due to the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this to create files in the context of Administrator. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GitLab versions prior to 14.4.5 GitLab versions 14.5.0 through 14.5.3 GitLab versions 14.6.0 through 14.6.1 **Description** An issue has been discovered in GitLab where it does not ignore replacement references with git sub-commands. This allows a malicious user to spoof the contents of their commits in the UI. **Recommendations** For versions prior to 14.4.5, update to version 14.4.5 or later. For versions 14.5.0 through 14.5.3, update to version 14.5.4 or later. For versions 14.6.0 through 14.6.1, update to version 14.6.2 or later.

**Name of the Vulnerable Software and Affected Versions** Hancom Office version 9.6.1.7634 **Description** The issue allows for a use-after-free via a crafted .docx file, specifically affecting the tfo common component in HwordApp.dll. **Recommendations** For Hancom Office version 9.6.1.7634, at the moment, there is no information about a newer version that contains a fix for this issue.