Chamilo LMS Remote Code Execution (CVE-2023-34960)
Overview
Chamilo LMS Remote Code Execution, tracked as CVE-2023-34960, affects Chamilo 1.11.x installations where a command injection issue exists in a document conversion component. Chamilo is an open-source learning management system, so vulnerable deployments can expose course content, user data, and server-side application infrastructure.
Vulnerability Overview
CVE-2023-34960 is a command injection vulnerability in Chamilo's wsConvertPpt component. According to the official CVE record, affected Chamilo 1.11.x versions can allow arbitrary command execution through a SOAP API call that includes a crafted PowerPoint name.
The vulnerable behavior is tied to unsafe handling of input before it reaches a server-side command execution context. This turns a file conversion workflow into a code execution risk.
Impact
The vulnerability is rated Critical with a CVSS 3.1 score of 9.8. Successful exploitation can allow remote attackers to execute arbitrary commands on the server hosting the Chamilo application.
For an LMS deployment, that impact can include compromise of application data, server-side files, and services reachable from the affected host.
Vulnerability Scope
NVD identifies the affected range as Chamilo 1.11.0 through 1.11.18. Later fixed versions and deployments where the vulnerable conversion functionality is not exposed are outside the intended vulnerable condition.
The highest-risk systems are internet-facing Chamilo LMS instances running affected 1.11.x versions with the vulnerable SOAP conversion path reachable by untrusted users.
Lab Focus
This Hackviser lab focuses on understanding how document conversion features can introduce command injection risk in web applications. You will practice identifying the affected Chamilo version range, recognizing unsafe input flow into backend processing, and connecting command injection impact to LMS platform security.