CVE-2021-31933

Published on: 04/30/2021 12:00:00 AM UTC

Last Modified on: 05/01/2021 03:52:00 AM UTC

CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:H/S:U/UI:N

The following vulnerability was found:

A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.

CVE References

Description Tags Link
Security fixes · chamilo/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/chamilo/chamilo-lms/commit/f65d065061a77bb2e84f73217079ce3998cf3453
Update .htaccess. disallow PHP inside web/ · chamilo/[email protected] · GitHub github.com
text/html
URL Logo MISC github.com/chamilo/chamilo-lms/commit/229302139e8d23bf6862183cf219b967f6e2fbc1
Security issues - Chamilo LMS - Chamilo Tracking System support.chamilo.org
text/html
URL Logo MISC support.chamilo.org/projects/1/wiki/Security_issues#Issue-48-2021-04-17-Critical-impact-high-risk-Remote-Code-Execution

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-31933 : A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sani… twitter.com/i/web/status/1… 2021-04-30 21:06:36
Reddit Logo Icon /r/netcve CVE-2021-31933 2021-04-30 21:41:24
© CVE.report 2021 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report