CVE-2023-34944: 
Chamilo vulnerability analysis and mitigation

An arbitrary file upload vulnerability was discovered in the /fileUpload.lib.php component of Chamilo Learning Management System (LMS) versions 1.11.* up to v1.11.18. The vulnerability was disclosed on June 13, 2023, and affects the file upload functionality of the system (NVD).

The vulnerability allows attackers to execute arbitrary code by uploading a crafted SVG file through the file upload component. The issue has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-434: Unrestricted Upload of File with Dangerous Type (NVD).

If successfully exploited, this vulnerability could allow attackers to execute arbitrary code on the affected system, potentially leading to complete system compromise. The high CVSS score indicates that the vulnerability can be exploited remotely without requiring privileges or user interaction, and could result in a total loss of confidentiality, integrity, and availability (NVD).

The vulnerability has been patched through two commits: one implementing SVG file sanitization and another adding the required SVG sanitization dependency. Users should upgrade to a version that includes these security fixes (Chamilo Patch 1, Chamilo Patch 2).