Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Published: 2026-04-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Gradebook Modification
Action: Immediate Patch
AI Analysis

Impact

Chamilo Learning Management System contains an in‑secure direct object reference in the gradebook evaluation edit page. By altering the editeval GET parameter, any authenticated teacher can view and change the settings—name, maximum score, and weight—of evaluation items that belong to other courses. This bug can compromise the integrity of grading data and undermine course evaluation accuracy.

Affected Systems

The flaw exists in all Chamilo LMS installations running versions prior to 1.11.38 for the stable line and before 2.0.0‑RC.3 for the release candidate line. Only the Chamilo LMS product (chapmo:chamilo‑lms) is affected.

Risk and Exploitability

With a CVSS score of 7.1, the vulnerability offers a moderate to high severity level. No EPSS score is available and the issue is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated teacher; the attack vector is local: manipulation of a browser URL or form submission. Successful exploitation results in unauthorized modification of evaluation parameters, potentially altering grade calculations for students in other courses.

Generated by OpenCVE AI on April 10, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Chamilo LMS to version 1.11.38 or later, or 2.0.0‑RC.3 or later, to eliminate the IDOR flaw.
  • If an upgrade is not immediately possible, restrict teacher access to the gradebook editing functionality by configuring permissions to ensure only educators with explicit course ownership can edit evaluation settings.
  • Verify that the updated versions are in use across all deployed instances and conduct a review of access logs to detect any unauthorized gradebook modifications.

Generated by OpenCVE AI on April 10, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook evaluation edit page allows any authenticated teacher to view and modify the settings (name, max score, weight) of evaluations belonging to any other course by manipulating the editeval GET parameter. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Title Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Evaluation Edit Without Ownership Check
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T18:32:13.726Z

Reserved: 2026-03-17T00:05:53.281Z

Link: CVE-2026-32930

cve-icon Vulnrichment

Updated: 2026-04-10T18:32:05.420Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T18:16:42.280

Modified: 2026-04-17T21:28:36.707

Link: CVE-2026-32930

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:59:58Z

Weaknesses