Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
AnalysisAI
Authenticated teachers in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 can access and modify gradebook evaluation settings across unauthorized courses through Insecure Direct Object Reference in the editeval parameter. Attackers with low-privilege teacher accounts can alter evaluation names, maximum scores, and weights for assessments in courses they do not own, enabling unauthorized data disclosure and integrity compromise. No public exploit identified at time of analysis.
Technical ContextAI
CWE-639 Authorization Bypass Through User-Controlled Key flaw in gradebook evaluation edit functionality. Server-side fails to validate course ownership before processing editeval GET parameter, allowing horizontal privilege escalation. Authenticated teacher role (PR:L) required; network-accessible attack vector (AV:N) with no complexity barriers (AC:L) enables cross-course data manipulation without UI interaction.
RemediationAI
Vendor-released patch: upgrade to Chamilo LMS 1.11.38 for 1.x deployments or 2.0.0-RC.3 for 2.x pre-release environments. Upstream fixes implemented in commits 63e1e6d3d717bd537c7c61719416da35aaa658dd and f03f681df939db0429edc8414fb3ce4e4b80d79d add server-side authorization checks validating teacher-course association before gradebook evaluation modification. Official advisory: https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-9h22-wrg7-82q6. No effective workarounds exist short of disabling gradebook functionality; immediate upgrade strongly recommended. Restrict teacher account provisioning and audit existing role assignments during patch deployment window to limit exposure surface.
More in Chamilo Lms
View allChamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.
Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex
Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra
Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C
Chamilo is a learning management system. [CVSS 8.8 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi
Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit
Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21529