CVE-2023-4226

HIGH

Chamilo LMS <= 1.11.24 - Authenticated Remote Code Execution via PHP File Upload

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-4226. PoCs published by SkyW4r33x, krishnan-tech.

AI-analyzed exploit summary This repository contains a functional Python exploit for CVE-2023-4226, targeting Chamilo LMS <= v1.11.24. The exploit automates the upload of a PHP web shell and .htaccess file to achieve remote code execution (RCE) via an unrestricted file upload vulnerability.

Description

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers with learner role to obtain remote code execution via uploading of PHP files.

Exploits (2)

nomisec WORKING POC 1 stars

by SkyW4r33x · poc

https://github.com/SkyW4r33x/CVE-2023-4226

View Code ZIP pw:eip

This repository contains a functional Python exploit for CVE-2023-4226, targeting Chamilo LMS <= v1.11.24. The exploit automates the upload of a PHP web shell and .htaccess file to achieve remote code execution (RCE) via an unrestricted file upload vulnerability.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Chamilo LMS <= v1.11.24

Auth required

Prerequisites: Valid session cookie (ch_sid) · Target URL · Attacker-controlled IP and port for reverse shell

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by krishnan-tech · poc

https://github.com/krishnan-tech/CVE-2023-4226-POC

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-4220, an unrestricted file upload vulnerability in Chamilo LMS. The PoC allows unauthenticated attackers to upload a malicious PHP file to achieve remote code execution (RCE) via a reverse shell or direct command execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Chamilo LMS <= v1.11.24

No auth needed

Prerequisites: Network access to the target Chamilo LMS instance

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Issue Tracking, Vendor Advisory vendor-advisory

https://support.chamilo.org/projects/chamilo-18/wiki/security_issues#Issue-129-2023-09-04-Critical-impact-Moderate-risk-Authenticated-users-may-gain-unauthenticated-RCE-CVE-2023-4223CVE-2023-4224CVE-2023-4225CVE-2023-4226

Exploit, Third Party Advisory third-party-advisory

https://starlabs.sg/advisories/23/23-4226

Patch patch

https://github.com/chamilo/chamilo-lms/commit/6f32625a012d5de2dfe8edbccb4ed14a85e310d4

Patch patch

https://github.com/chamilo/chamilo-lms/commit/f3d62b65ad60d68096c2674d5695339f04de0b8a

Patch patch

https://github.com/chamilo/chamilo-lms/commit/e864127a440c2cab0eb62c113a04e2e904543a1f

Scores

CVSS v3 8.8

EPSS 0.0243

EPSS Percentile 82.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

chamilo/chamilo_lms < 1.11.24

Published Nov 28, 2023

Tracked Since Feb 18, 2026