CVE-2021-31933
HIGHChamilo < 1.11.14 - Remote Code Execution
Title source: ruleDescription
A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by M. Cory Billington · pythonwebappsphp
https://www.exploit-db.com/exploits/49867
References (4)
Scores
CVSS v3
7.2
EPSS
0.1478
EPSS Percentile
94.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Classification
CWE
CWE-706
Status
published
Affected Products (1)
chamilo/chamilo
< 1.11.14
Timeline
Published
Apr 30, 2021
Tracked Since
Feb 18, 2026