CVE-2023-1728 in LMSinfo

Summary

by MITRE • 04/04/2023

Unrestricted Upload of File with Dangerous Type vulnerability in Fernus Informatics LMS allows OS Command Injection, Server Side Include (SSI) Injection.This issue affects LMS: before 23.04.03.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/22/2026

The vulnerability identified as CVE-2023-1728 represents a critical security flaw in the Fernus Informatics Learning Management System that stems from inadequate file upload validation mechanisms. This weakness enables malicious actors to bypass security controls and upload files with potentially harmful extensions, creating a pathway for arbitrary code execution and system compromise. The vulnerability specifically affects versions of the LMS prior to 23.04.03, indicating that organizations running older iterations remain exposed to significant risk. The flaw manifests through unrestricted file upload capabilities that fail to properly validate file types, content, or execution permissions before storage on the server.

The technical implementation of this vulnerability allows for OS command injection through malicious file uploads that can be executed within the server environment. When users upload files without proper type checking, attackers can submit files with dangerous extensions such as .jsp, .php, .asp, or .shtml that enable server-side include injection. The underlying flaw aligns with CWE-434 which specifically addresses the weakness of unrestricted file upload allowing for code execution. This vulnerability operates at the intersection of multiple attack vectors as it can be leveraged for both direct command execution and indirect code injection through server-side include mechanisms. The system fails to properly sanitize file extensions and content, allowing malicious payloads to be stored and subsequently executed by the web server.

The operational impact of CVE-2023-1728 extends beyond simple unauthorized file uploads, as it provides attackers with persistent access to the underlying system infrastructure. Once an attacker successfully uploads a malicious file, they can execute arbitrary commands on the target server, potentially leading to complete system compromise, data exfiltration, or establishment of persistent backdoors. The server-side include injection capability amplifies the threat by allowing attackers to inject malicious code that executes during page rendering, providing a stealthy method of maintaining access. This vulnerability directly maps to several tactics in the MITRE ATT&CK framework including T1190 for exploiting vulnerabilities, T1059 for command and script injection, and T1566 for social engineering through malicious file uploads. Organizations may experience unauthorized access to sensitive educational data, disruption of learning management services, and potential regulatory compliance violations.

Mitigation strategies for this vulnerability require immediate implementation of comprehensive file upload validation controls that align with industry best practices and security standards. Organizations should deploy strict file type validation mechanisms that reject uploads of dangerous extensions and perform content analysis to detect potentially malicious payloads. The system must implement proper file naming conventions and store uploaded files outside the web root directory to prevent direct execution. Network segmentation and access controls should be enforced to limit the potential impact of successful exploitation. Regular security updates and patches should be applied immediately upon availability, with particular attention to the specific version fixes provided by Fernus Informatics for the 23.04.03 release. Additionally, implementing web application firewalls and intrusion detection systems can provide additional layers of protection against exploitation attempts. Security monitoring should include detection of unusual file upload activities and unauthorized access patterns to identify potential exploitation attempts. The vulnerability underscores the importance of secure coding practices and comprehensive input validation as outlined in OWASP Top Ten security controls for preventing file upload related attacks.

Reservation

03/30/2023

Disclosure

04/04/2023

Moderation

accepted

CPE

ready

EPSS

0.01421

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!