CVE-2021-31933

Name of the Vulnerable Software and Affected Versions: Chamilo versions prior to 1.11.14

Description: A remote code execution issue exists due to improper input sanitization of a parameter used for file uploads and improper file-extension filtering for certain filenames, such as .phar or .pht. A remote authenticated administrator can upload a file containing arbitrary PHP code into specific directories via directory traversal in main/inc/lib/fileUpload.lib.php to achieve PHP code execution.

Recommendations: For versions prior to 1.11.14, update to a version that includes the fix for this issue to prevent remote code execution. As a temporary workaround, consider restricting access to the fileUpload.lib.php file or disabling the file upload functionality until a patch is available.