← volver
CVE-2026-33141

Chamilo LMS has an IDOR in REST API Stats Endpoint Exposes Any User's Learning Data

CVSS 6.5 MEDIUMEPSS 0.1%CWE-639CWE-862
Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the REST API stats endpoint allows any authenticated user (including low-privilege students with ROLE_USER) to read any other user's learning progress, certificates, and gradebook scores for any course, without enrollment or supervisory relationship. This vulnerability is fixed in 2.0.0-RC.3.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Productos afectados
chamilo · chamilo-lms

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/chamilo/chamilo-lms/commit/792ba05953470ca971617fe2674ed14c1479fa80https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-j2pr-2r5w-jrpj