Description
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Published: 2026-04-10
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirection enabling phishing and session ID leakage for authenticated administrators
Action: Immediate Patch
AI Analysis

Impact

Chamilo LMS suffers an open redirect flaw in the session course edit page that accepts an unvalidated 'page' parameter. When an authenticated administrator saves changes to coach assignments, the system redirects the browser to the supplied URL. The redirect also transmits the session identifier to the target domain. This can facilitate phishing attacks and unauthorized tracking of administrative sessions.

Affected Systems

Versions of Chamilo LMS before 1.11.38 and before 2.0.0‑RC.3 are affected. The risk applies to any installation of Chamilo LMS where standard user credentialing and course management functionality are in use, especially for users with administrative privileges to edit coach assignments.

Risk and Exploitability

The CVSS score of 4.7 indicates moderate severity. Exploitation requires authenticated access as an administrator and the ability to modify coach assignment data, making it less likely to be widely abused by unauthenticated attackers. Without the EPSS score and KEV listing, the likelihood of exploitation remains uncertain, though the presence of a session‑id leak adds additional potential for credential compromise. The primary attack vector is user interaction with the redirect after an admin action, making it a social‑engineered risk rather than a purely automated exploit.

Generated by OpenCVE AI on April 10, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Chamilo LMS to version 1.11.38 or later, or 2.0.0‑RC.3 or later
  • Verify that the 'page' parameter is properly validated or removed
  • If an immediate patch is unavailable, restrict administrative account access and monitor for suspicious external redirects
  • Revoke and regenerate any session identifiers that may have been exposed to external domains

Generated by OpenCVE AI on April 10, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha4:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:alpha5:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:chamilo:chamilo_lms:2.0.0:rc2:*:*:*:*:*:*

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Chamilo
Chamilo chamilo Lms
Vendors & Products Chamilo
Chamilo chamilo Lms

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Open Redirect vulnerability in the session course edit page allows an attacker to redirect an authenticated administrator to an arbitrary external URL after saving coach assignment changes. The redirect also leaks the id_session parameter to the attacker's server. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Title Chamilo LMS has an Open Redirect via Unvalidated 'page' Parameter in Session Course Edit
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Chamilo Chamilo Lms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:36:22.092Z

Reserved: 2026-03-17T00:05:53.282Z

Link: CVE-2026-32932

cve-icon Vulnrichment

Updated: 2026-04-13T15:33:24.890Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T18:16:42.590

Modified: 2026-04-17T21:27:32.730

Link: CVE-2026-32932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:59:56Z

Weaknesses