CVE-2023-3533: 
Chamilo vulnerability analysis and mitigation

CVE-2023-3533 is a critical vulnerability discovered in Chamilo LMS versions <= v1.11.20. The vulnerability involves a path traversal issue in the file upload functionality within /main/webservices/additional_webservices.php, which allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution through arbitrary file write (STAR Labs Advisory).

The vulnerability exists due to improper sanitization of file paths in the wsConvertPpt function. The sanitization functions Security::sanitizeExecParam() and Security::filter_filename() fail to prevent path traversal as they don't remove dots (.) and forward slashes (/). The CVSS v3.1 base score is 9.8 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (STAR Labs Advisory).

The vulnerability allows attackers to achieve stored cross-site scripting by placing malicious HTML files in writable and publicly-accessible directories within the web root. More critically, attackers can achieve remote code execution by forging PHP session files containing deserialization gadget chains, even if the web root is non-writable (STAR Labs Advisory).

The vulnerability was patched in version 1.11.22. The fix involves ensuring that the destination file path does not traverse out of the intended directory by checking for '..' in the user-supplied file_name. Users are strongly encouraged to update to the latest version of Chamilo to mitigate this and other high-severity vulnerabilities (STAR Labs Advisory, Chamilo Patch).