Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
7DescriptionGitHub Advisory
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, the default password reset mechanism generates tokens using sha1($email) with no random component, no expiration, and no rate limiting. An attacker who knows a user's email can compute the reset token and change the victim's password without authentication. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
AnalysisAI
Unauthenticated password reset takeover in Chamilo LMS 1.11.x (prior to 1.11.38) and 2.0.0-RC versions (prior to RC.3) allows remote attackers to hijack arbitrary user accounts by computing deterministic reset tokens. The vulnerability stems from insecure token generation using sha1($email) without randomization, expiration, or rate limiting. Attackers knowing a target's email address can directly calculate valid password reset tokens and change account credentials without prior authentication, enabling full account takeover with high confidentiality and integrity impact. No public exploit identified at time of analysis.
Technical ContextAI
Root cause is CWE-640 (weak password recovery using predictable token). Reset mechanism generates tokens via sha1(email_address) - a deterministic hash vulnerable to precomputation attacks. Missing entropy, time-based expiration, and brute-force protection enable offline token calculation from known email addresses. CVSS vector PR:N confirms unauthenticated attack surface.
RemediationAI
Vendor-released patches: upgrade to Chamilo LMS 1.11.38 for 1.11.x branch or 2.0.0-RC.3 for 2.0 branch. Upstream fixes implemented via commits 078d7e5b77679fa7ccfcd6783bd5cc683db0bda8 and 750a45312a0d5c3ad60dbfbd0d959ca40be4a18c introduce cryptographically random token generation, time-limited validity, and rate limiting protections. Official vendor security advisory available at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-f27g-66gq-g7v2. No workarounds mitigate this vulnerability - upgrade is mandatory. Organizations unable to immediately patch should disable password reset functionality via application configuration until remediation is completed. Monitor authentication logs for anomalous password reset activity targeting high-privilege accounts.
More in Chamilo Lms
View allChamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.
Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex
Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.
Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload
Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra
Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C
Chamilo is a learning management system. [CVSS 8.8 HIGH]
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi
Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi
Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit
Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21561