How severe is CVE-2023-3545?

This vulnerability has a severity rating of CRITICAL with a CVSS score of 9.8 out of 10.

What type of vulnerability is CVE-2023-3545?

This is classified as CWE-178, which is a common weakness in software security.

CVE-2023-3545 - CRITICAL Severity | CVSS 9.8

Vulnerability Description

Improper sanitisation in `main/inc/lib/fileUpload.lib.php` in Chamilo LMS <= v1.11.20 on Windows and Apache installations allows unauthenticated attackers to bypass file upload security protections and obtain remote code execution via uploading of `.htaccess` file. This vulnerability may be exploited by privileged attackers or chained with unauthenticated arbitrary file write vulnerabilities, such as CVE-2023-3533, to achieve remote code execution.

Related Vulnerabilities

CVE-2001-0766

CRITICAL

CVSS:9.8(Critical)

Apache on MacOS X Client 10.0.3 with the HFS+ file system allows remote attackers to bypass access restrictions via a URL that contains some characters whose case is not matched by Apache's filters.

CWE-1782001

CVE-2002-1820

CRITICAL

CVSS:9.8(Critical)

register.php in Ultimate PHP Board (UPB) 1.0 and 1.0b uses an administrative account Admin with a capital "A," but allows a remote attacker to impersonate the administrator by registering an account n...

CWE-1782002

CVE-2002-2119

CRITICAL

CVSS:9.8(Critical)

Novell eDirectory 8.6.2 and 8.7 use case insensitive passwords, which makes it easier for remote attackers to conduct brute force password guessing.

CWE-1782002

CVE-2004-2154

CRITICAL

CVSS:9.8(Critical)

CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are ...

CWE-1782004

CVE-2004-2214

CRITICAL

CVSS:9.8(Critical)

Mbedthis AppWeb HTTP server before 1.1.3 allows remote attackers to bypass access restrictions via a URI with mixed case characters.

CWE-1782004

CVE-2005-0269

CRITICAL

CVSS:9.8(Critical)

The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that incl...

CWE-1782005