Chamilo unauthenticated command injection in PowerPoint upload

Chamilo is an e-learning platform, also called Learning Management Systems (LMS). This module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions `1.11.18` and below (CVE-2023-34960). Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at OS level using a malicious SOAP request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.Read More