CVE-2023-3368: 
Chamilo vulnerability analysis and mitigation

CVE-2023-3368 is a command injection vulnerability discovered in Chamilo LMS versions up to 1.11.20. The vulnerability exists in the /main/webservices/additional_webservices.php file and allows unauthenticated attackers to obtain remote code execution through improper neutralization of special characters. This vulnerability is particularly notable as it represents a bypass of a previous security fix for CVE-2023-34960 (STAR Labs).

The vulnerability stems from insufficient input sanitization in the Security::sanitizeExecParam() function, which only removes certain shell meta-characters (backticks, semi-colons, ampersand, and pipe characters) from user input used in constructing shell commands. The vulnerability can be exploited using command substitution techniques with $() or by injecting newlines in shell commands. The vulnerability has received a CVSS v3.1 base score of 9.8 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe impact (NVD).

The vulnerability allows unauthenticated attackers to achieve remote code execution on affected systems. Given the critical CVSS score and the lack of authentication requirements, successful exploitation could lead to complete system compromise, allowing attackers to execute arbitrary commands with the privileges of the web server process (STAR Labs).

Users are strongly recommended to update to Chamilo version 1.11.22 or later, which completely fixes the vulnerability. For developers, it is recommended to use escapeshellarg() to properly escape user-input used to construct shell commands, as well as remove dollar signs ($) and newlines (\n) in Security::sanitizeExecParam(). The fix was implemented through patches that improve input sanitization (STAR Labs, Chamilo Patch).