CVE-2023-34960: 
Chamilo vulnerability analysis and mitigation

A command injection vulnerability exists in the wsConvertPpt component of Chamilo versions 1.11.* up to v1.11.18. The vulnerability allows unauthenticated attackers to execute arbitrary commands via a SOAP API call with a crafted PowerPoint name (NVD, AttackerKB).

The vulnerability exists in the /main/webservices/additional_webservices.php file where the wsConvertPpt function fails to properly filter filename input before passing it to an exec() function. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

Successful exploitation allows attackers to execute arbitrary operating system commands on the vulnerable server with the privileges of the web server process. This could lead to complete system compromise, including the ability to access, modify, or delete data (AttackerKB).

Organizations should upgrade to a version newer than Chamilo v1.11.18. The vulnerability was later found to be incompletely fixed and was bypassed (tracked as CVE-2023-3368), requiring an additional update to versions newer than v1.11.20 (NVD).