Chamilo Learning Management System allows an attacker who knows a user’s email address to compute a password‑reset token because the system uses a deterministic SHA‑1 hash of the email without any random salt, expiration, or rate limiting. The attacker can generate the exact token, submit it through the web interface, and reset the victim’s password without any authentication. As a result, the attacker can gain full control of the compromised account, potentially including administrative privileges, which leads to a complete loss of confidentiality, accountability, and integrity for that user.

Vulnerable versions are all releases of chamilo-lms older than 1.11.38 and 2.0.0‑RC.3. The issue applies to the default password‑reset functionality distributed with the core Chamilo LMS package. Administrators should verify the version they are running and ensure it is at least 1.11.38 or 2.0.0‑RC.3 before patching. The affected component is the web‑based password reset endpoint.

The CVSS score of 9.4 indicates critical severity, reflecting the high impact and full attack in the network attack scope. No EPSS value is provided, but the lack of rate limiting and static token generation makes exploitation trivial once the victim’s email is known. The vulnerability is not currently catalogued in CISA’s KEV list; nevertheless, the high CVSS and potential for remote attacker use make immediate remediation essential. The likely attack vector is remote over the web, and an attacker can obtain the token by simple computation.