Description

A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.

Remediation

References

CVE-2021-31933

Related Vulnerabilities

phpMyFAQ Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2014-6048)

WordPress Plugin Product Feed on WooCommerce for Google, Awin, Shareasale, Bing, and More SQL Injection (3.3.0.3)

WordPress Plugin Fluid Responsive Slideshow Multiple Vulnerabilities (2.2.6)

WordPress Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-3129)

Plone CMS Improper Input Validation Vulnerability (CVE-2011-4462)

Severity

High

Classification

CVE-2021-31933 CWE-20 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Tags

Missing Update Known Vulnerabilities