{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/chamilo/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32931"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Chamilo LMS"],"_cs_severities":["critical"],"_cs_tags":["chamilo","rce","file-upload"],"_cs_type":"advisory","_cs_vendors":["Chamilo"],"content_html":"\u003cp\u003eChamilo LMS, a learning management system, is vulnerable to an unrestricted file upload (CVE-2026-32931). This flaw affects versions prior to 1.11.38 and 2.0.0-RC.3. A teacher, after successful authentication, can exploit the exercise sound upload function to inject a PHP webshell. By manipulating the Content-Type header to appear as \u0026quot;audio/mpeg\u0026quot;, the attacker bypasses file type restrictions. The malicious PHP file is then stored in a publicly accessible web directory. This leads to remote code execution, granting the attacker control with the privileges of the web server user (www-data). Successful exploitation allows attackers to compromise the Chamilo LMS server, potentially leading to data theft, defacement, or further lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker authenticates to the Chamilo LMS as a teacher.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the exercise sound upload function within the Chamilo LMS interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PHP webshell (e.g., \u003ccode\u003eevil.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the file upload request and modifies the \u003ccode\u003eContent-Type\u003c/code\u003e header to \u003ccode\u003eaudio/mpeg\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the PHP webshell, which is then saved with its original \u003ccode\u003e.php\u003c/code\u003e extension to a web-accessible directory on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the uploaded PHP webshell (e.g., \u003ccode\u003e/upload/evil.php\u003c/code\u003e) via a web browser.\u003c/li\u003e\n\u003cli\u003eThe PHP webshell executes arbitrary commands on the server with the privileges of the web server user (www-data).\u003c/li\u003e\n\u003cli\u003eThe attacker can then use the webshell for further malicious activities such as reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32931 allows an attacker to execute arbitrary code on the Chamilo LMS server. The attacker gains control with the privileges of the web server user, potentially leading to sensitive data theft, complete system compromise, or further attacks on internal infrastructure. Given the nature of LMS systems, this could expose student records, course materials, and other confidential information, leading to a significant breach of privacy and security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 to patch CVE-2026-32931.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to inspect and block file uploads with suspicious Content-Type headers that do not match the file extension.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for access to unusual PHP files in upload directories, which may indicate successful exploitation. Deploy the provided Sigma rule to assist in this monitoring.\u003c/li\u003e\n\u003cli\u003eImplement strict file upload policies and validate file types on the server side, regardless of the Content-Type header provided by the client.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-29T12:00:00Z","date_published":"2024-01-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-29-chamilo-rce/","summary":"An unrestricted file upload vulnerability in Chamilo LMS (CVE-2026-32931) allows an authenticated teacher to upload a PHP webshell, leading to remote code execution.","title":"Chamilo LMS Unrestricted File Upload Leads to Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-29-chamilo-rce/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-33704"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Chamilo LMS"],"_cs_severities":["critical"],"_cs_tags":["chamilo","lms","rce","cve-2026-33704"],"_cs_type":"advisory","_cs_vendors":["Chamilo"],"content_html":"\u003cp\u003eChamilo LMS, a learning management system, is vulnerable to a critical remote code execution (RCE) flaw identified as CVE-2026-33704. This vulnerability affects versions prior to 1.11.38. An authenticated user, including students, can exploit this vulnerability by writing arbitrary content to files on the server using the BigUpload endpoint. The vulnerability lies in the insufficient filtering of file extensions. While the .php extension is filtered and converted to .phps, the .pht extension is not modified. If the Apache web server is configured to handle .pht files as PHP, this can lead to arbitrary code execution. The vulnerability was patched in version 1.11.38. Exploitation allows attackers to compromise the web server hosting the Chamilo LMS instance.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Chamilo LMS as a legitimate user (e.g., student).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eBigUpload\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a \u003ccode\u003ekey\u003c/code\u003e parameter specifying the desired filename, using a \u003ccode\u003e.pht\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe request body contains arbitrary PHP code that the attacker wants to execute on the server.\u003c/li\u003e\n\u003cli\u003eThe Chamilo LMS application processes the request but fails to properly sanitize the \u003ccode\u003e.pht\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe application writes the attacker-controlled PHP code to a file with a \u003ccode\u003e.pht\u003c/code\u003e extension in the web server's document root or accessible directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP request to the newly created \u003ccode\u003e.pht\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe Apache web server, if configured to process \u003ccode\u003e.pht\u003c/code\u003e files as PHP, executes the attacker-supplied code, leading to remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33704 allows an attacker to execute arbitrary code on the Chamilo LMS server. This could lead to complete system compromise, data theft, defacement of the learning platform, or further malicious activities within the network. Given the nature of an LMS, student and faculty data, including personal information and academic records, could be exposed. There are no specific victim counts available but successful exploitation grants complete control of the Chamilo LMS instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or later to patch CVE-2026-33704.\u003c/li\u003e\n\u003cli\u003eConfigure the Apache web server to not execute \u003ccode\u003e.pht\u003c/code\u003e files as PHP. This mitigation can be implemented even without patching.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eChamilo_BigUpload_PHT_File_Creation\u003c/code\u003e to detect the creation of \u003ccode\u003e.pht\u003c/code\u003e files via the \u003ccode\u003eBigUpload\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to \u003ccode\u003e.pht\u003c/code\u003e files in the Chamilo LMS web directory using the \u003ccode\u003eChamilo_PHT_File_Access\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-24-chamilo-rce/","summary":"Chamilo LMS versions prior to 1.11.38 are vulnerable to remote code execution via arbitrary file upload by authenticated users due to insufficient file extension filtering in the BigUpload endpoint, allowing execution of PHP code on servers configured to process .pht files.","title":"Chamilo LMS Remote Code Execution via Arbitrary File Upload (CVE-2026-33704)","url":"https://feed.craftedsignal.io/briefs/2024-01-24-chamilo-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Chamilo","version":"https://jsonfeed.org/version/1.1"}