Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Chamilo LMS is a learning management system. Prior to 1.11.38, Twig template files (.tpl) under /main/template/default/ are directly accessible without authentication via HTTP GET requests. These templates expose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure. This vulnerability is fixed in 1.11.38.
AnalysisAI
Chamilo LMS versions prior to 1.11.38 expose Twig template files (.tpl) in the /main/template/default/ directory to unauthenticated HTTP GET requests, allowing remote attackers to disclose internal application logic, variable names, AJAX endpoint URLs, and admin panel structure without authentication. This information disclosure vulnerability has a CVSS score of 5.3 with confirmed patch availability in version 1.11.38.
Technical ContextAI
Chamilo LMS uses Twig templating engine for dynamic content rendering. Template files (.tpl) located in /main/template/default/ are intended for server-side processing and contain embedded application logic, variable references, and API endpoints. The vulnerability arises from inadequate web server access controls or framework routing logic that fails to restrict direct HTTP access to these template files. CWE-538 (Information Exposure Through Persistent Cookies) is referenced, though the root cause appears to be improper directory/file access controls rather than cookie-specific exposure. Attackers can simply request template files via standard HTTP GET, bypassing the authentication mechanisms that protect compiled or rendered output. The exposure of AJAX endpoint URLs and admin panel structure significantly increases the attack surface for secondary exploitation (privilege escalation, CSRF, XSS, or other attacks targeting identified endpoints).
RemediationAI
Upgrade Chamilo LMS to version 1.11.38 or later, which includes access control fixes preventing direct HTTP access to template files in /main/template/default/. Install the patched version by downloading the release from the official GitHub repository (https://github.com/chamilo/chamilo-lms) or applying the security advisory patch documented at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-5wjg-8x28-px57. As an interim workaround pending patch deployment, configure your web server (Apache/Nginx) to block direct requests to .tpl files by implementing access control rules (e.g., Apache .htaccess or Nginx location blocks) that deny GET/HEAD requests to /main/template/default/*.tpl and similar template directories. Verify remediation by attempting to fetch a template file directly (e.g., http://your-chamilo-instance/main/template/default/index.tpl) and confirming a 403 Forbidden response.
More in Chamilo Lms
View allChamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.
Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex
Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra
Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C
Chamilo is a learning management system. [CVSS 8.8 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi
Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit
Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21557