Chamilo LMS has an Insecure Direct Object Reference (IDOR)

7.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress — including score, status, completion, and time — without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

Basic Information

ID CVE-2026-33702

Source GitHub_M

Published Apr 10, 2026 at 18:15

Affected Product

Vendor chamilo

Product chamilo-lms

Version < 1.11.38

Affected Versions chamilo chamilo-lms < 1.11.38
chamilo chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, Chamilo LMS contains an Insecure Direct Object Reference (IDOR) vulnerability in the Learning Path progress saving endpoint. The file lp_ajax_save_item.php accepts a uid (user ID) parameter directly from $_REQUEST and uses it to load and modify another user's Learning Path progress \u2014 including score, status, completion, and time \u2014 without verifying that the requesting user matches the target user ID. Any authenticated user enrolled in a course can overwrite another user's Learning Path progress by simply changing the uid parameter in the request. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.",
    "published": "2026-04-10T18:15:49.964Z",
    "modified": "2026-04-10T18:15:49.964Z",
    "type": "cve",
    "title": "Chamilo LMS has an Insecure Direct Object Reference (IDOR)",
    "source": "GitHub_M",
    "references": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-3rv7-9fhx-j654\nhttps://github.com/chamilo/chamilo-lms/commit/6331d051b4468deb5830c01d1e047c5e5cf2c74f\nhttps://github.com/chamilo/chamilo-lms/commit/bf3f6c6949b5c882b48a9914baa19910417e4551",
    "id": "CVE-2026-33702",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "chamilo chamilo-lms < 1.11.38\nchamilo chamilo-lms >= 2.0.0-alpha.1, < 2.0.0-RC.3",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "chamilo-lms",
    "version": "< 1.11.38",
    "vendor": "chamilo",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Chamilo LMS has an Insecure Direct Object Reference (IDOR)_CVE-2026-33702