Impact Analysis

Exploitation of this vulnerability can lead to full system compromise. Attackers can execute arbitrary commands on the server, gain unauthorized access to sensitive data, modify or delete content, and disrupt services. This results in a complete loss of confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Executive Summary

CVE-2026-29041 is a high-severity authenticated remote code execution vulnerability in Chamilo LMS versions up to 1.11.32. It arises from improper validation of uploaded files, where the system relies only on MIME-type verification, which can be bypassed by attackers. Specifically, malicious users can upload files that appear as images but contain executable PHP code. When a certain configuration is enabled, these files are saved with their original extensions in web-accessible directories, allowing attackers to execute arbitrary code on the server.

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of uploaded files with executable extensions such as .php, .phtml, or .phar in web-accessible directories used by Chamilo LMS, especially if the configuration option $_configuration['enable_uploadimage_editor'] is enabled."}, {'type': 'paragraph', 'content': 'You can also monitor HTTP requests to the endpoint main/inc/ajax/document.ajax.php with the ck_uploadimage action to identify suspicious file uploads.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect potentially malicious files include:'}, {'type': 'list_item', 'content': 'Find files with executable extensions in the upload directory, for example: find /path/to/chamilo/uploads -type f \\( -name "*.php" -o -name "*.phtml" -o -name "*.phar" \\)'}, {'type': 'list_item', 'content': 'Check for files containing PHP code by searching for PHP tags: grep -r "<?php" /path/to/chamilo/uploads'}, {'type': 'list_item', 'content': 'Review web server logs for requests to uploaded files with suspicious extensions or unusual access patterns.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Upgrade Chamilo LMS to version 1.11.34 or later, where this vulnerability has been patched.'}, {'type': 'list_item', 'content': 'Enforce strict file extension allowlisting on uploaded files, accepting only safe image extensions such as .jpg, .png, and .gif, and rejecting executable extensions like .php, .phtml, or .phar regardless of MIME type.'}, {'type': 'list_item', 'content': 'Avoid relying solely on MIME-type validation; use MIME-type checks only as a secondary measure.'}, {'type': 'list_item', 'content': 'Store uploaded files outside of web-accessible directories or serve them through controlled handlers to prevent direct execution.'}, {'type': 'list_item', 'content': "If possible, disable the configuration option $_configuration['enable_uploadimage_editor'] to prevent saving files with original executable extensions."}] [1]

Useful 0 Not Useful 0