Path traversal in file upload functionality in `/main/webservices/additional_webservices.php` in Chamilo LMS <= v1.11.20 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via arbitrary file write.
The file `/main/webservices/additional_webservices.php` does not require authentication and does not properly filter paths passed during file uploads. An attacker can construct a request containing path traversal sequences (e.g., `../`), allowing file writing to any location accessible to the web server process. By placing an executable file (e.g., webshell) outside the intended directory this way, the attacker gains the ability to invoke it through a browser and thus achieve remote code execution on the server.
An unauthenticated attacker can gain full control over the server through RCE, as well as conduct stored XSS attacks on application users by uploading malicious files to accessible web locations.
Update Chamilo LMS to a version containing the patch available in commit 37be9ce7243a30259047dd4517c48ff8b21d657a. Patch details are available in vendor references (support.chamilo.org and GitHub). As an interim measure, consider restricting access to the file `/main/webservices/additional_webservices.php` at the web server configuration level or through a web application firewall.
Chamilo LMS version 1.11.20 and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HChamilo
APPChamilo≤ 1.11.20
Related vulnerabilities
Command injection w Chamilo LMS umożliwiający RCE bez uwierzytelnienia
Chamilo LMS – ominięcie ochrony upload plików i RCE przez .htaccess
A command injection vulnerability in the wsConvertPpt component of Chamilo v1.11.* up to v1.11.18 allows attac...
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or ...
Chamilo 1.11.16 is affected by an authenticated local file inclusion vulnerability which allows authenticated ...