{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/chamilo/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.4,"id":"CVE-2026-33707"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-33707","chamilo","lms","password-reset","credential-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a widely used learning management system, is susceptible to a critical vulnerability (CVE-2026-33707) affecting versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability lies within the default password reset mechanism, which generates password reset tokens by applying SHA1 hashing directly to user email addresses. This flawed process lacks essential security measures, including the addition of random salts, token expiration, and rate limiting. An attacker who obtains a target user\u0026rsquo;s email address can calculate the password reset token and gain unauthorized access to the user\u0026rsquo;s account, bypassing authentication controls. The vulnerability was publicly disclosed in April 2026 and patched in versions 1.11.38 and 2.0.0-RC.3. Organizations using vulnerable versions of Chamilo LMS are at high risk of account compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a valid email address associated with a Chamilo LMS user. This information may be obtained through OSINT or data breaches.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the password reset page of the Chamilo LMS instance.\u003c/li\u003e\n\u003cli\u003eThe attacker enters the victim\u0026rsquo;s email address into the password reset form.\u003c/li\u003e\n\u003cli\u003eThe system generates a password reset token by applying SHA1 to the victim\u0026rsquo;s email address without any salt or random component.\u003c/li\u003e\n\u003cli\u003eThe attacker computes the SHA1 hash of the victim\u0026rsquo;s email address offline.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the computed SHA1 hash as the password reset token in a crafted request to the password reset confirmation endpoint.\u003c/li\u003e\n\u003cli\u003eThe Chamilo LMS instance validates the attacker-supplied token against the SHA1 hash of the email.\u003c/li\u003e\n\u003cli\u003eThe attacker sets a new password for the victim\u0026rsquo;s account and gains full access to the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33707 allows an attacker to take complete control of user accounts within the Chamilo LMS platform. This can lead to data breaches, modification of course content, disruption of educational activities, and potential reputational damage for the affected institution. The lack of rate limiting on password reset requests can allow for automated account takeover attempts affecting many users. Given the widespread use of Chamilo LMS in educational institutions and organizations globally, the potential impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Chamilo LMS installations to version 1.11.38 or 2.0.0-RC.3 to remediate CVE-2026-33707.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on password reset requests to mitigate automated attacks attempting to exploit this vulnerability (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect attempts to exploit this vulnerability by monitoring password reset requests (reference: rules section).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious password reset requests originating from unusual IPs or with unusually high frequency (reference: rules logsource).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-lms-weak-password-reset/","summary":"Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to a weak password reset mechanism, allowing attackers to compute password reset tokens using only a user's email address due to the use of SHA1 hashing without randomization, expiration, or rate limiting, leading to unauthorized account takeover.","title":"Chamilo LMS Weak Password Reset Vulnerability (CVE-2026-33707)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-lms-weak-password-reset/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-33618"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["chamilo","rce","eval-injection","cve-2026-33618"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS is a widely used open-source learning management system. CVE-2026-33618 affects versions prior to 2.0.0-RC.3. The vulnerability lies within the \u003ccode\u003ePlatformConfigurationController::decodeSettingArray()\u003c/code\u003e method, which unsafely uses PHP\u0026rsquo;s \u003ccode\u003eeval()\u003c/code\u003e function to parse platform settings retrieved from the database. An attacker who has already gained administrative access to the Chamilo LMS platform can inject arbitrary PHP code into these settings. This injected code is then executed whenever \u003cem\u003eany\u003c/em\u003e user, including unauthenticated users, makes a request to the \u003ccode\u003e/platform-config/list\u003c/code\u003e endpoint. This allows for unauthenticated remote code execution, making it a critical vulnerability for organizations using affected versions of Chamilo LMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains administrative access to the Chamilo LMS instance (potentially through a separate vulnerability or compromised credentials).\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the platform configuration settings page within the Chamilo LMS admin panel.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious PHP code into a configurable setting field. This code is designed to execute arbitrary commands on the server.\u003c/li\u003e\n\u003cli\u003eThe injected PHP code is saved to the Chamilo LMS database.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated user makes a request to the \u003ccode\u003e/platform-config/list\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ePlatformConfigurationController::decodeSettingArray()\u003c/code\u003e method is called to process the platform settings from the database.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eeval()\u003c/code\u003e function executes the attacker\u0026rsquo;s injected PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution on the Chamilo LMS server, enabling them to potentially compromise the entire system and connected networks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33618 allows an attacker to execute arbitrary PHP code on the Chamilo LMS server. This can lead to full system compromise, data exfiltration, defacement, or denial-of-service. Given that Chamilo LMS is used by educational institutions and organizations worldwide, a successful attack could impact thousands of users and expose sensitive student or employee data. The vulnerability\u0026rsquo;s ease of exploitation, requiring only admin access and an unauthenticated request to a specific endpoint, makes it a highly attractive target for malicious actors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Chamilo LMS instances to version 2.0.0-RC.3 or later to patch CVE-2026-33618.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/platform-config/list\u003c/code\u003e endpoint originating from unusual IP addresses or user agents using the Sigma rule \u003ccode\u003eChamilo_Suspicious_PlatformConfig_Access\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eChamilo_Eval_Based_Code_Execution\u003c/code\u003e to detect potential exploitation attempts based on unusual PHP processes spawned from the web server.\u003c/li\u003e\n\u003cli\u003eReview and audit all Chamilo LMS administrative accounts for suspicious activity to prevent initial access to vulnerable configuration settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-rce/","summary":"Chamilo LMS versions prior to 2.0.0-RC.3 are vulnerable to remote code execution (RCE) via eval injection, where an authenticated administrator can inject arbitrary PHP code into platform settings that is then executed when any user (including unauthenticated) requests the /platform-config/list endpoint.","title":"Chamilo LMS Unauthenticated Remote Code Execution via Configuration Injection (CVE-2026-33618)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-rce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-31941"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["chamilo","ssrf","cve-2026-31941","lms"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a learning management system, is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 1.11.38 and 2.0.0-RC.3. This vulnerability resides in the Social Wall feature, specifically the \u003ccode\u003eread_url_with_open_graph\u003c/code\u003e endpoint. By supplying a crafted URL via the \u003ccode\u003esocial_wall_new_msg_main\u003c/code\u003e POST parameter, an authenticated attacker can force the Chamilo LMS server to make arbitrary HTTP requests. This SSRF can be leveraged to probe internal services, perform port scanning on the internal network, and potentially access sensitive cloud instance metadata. The vulnerability was patched in versions 1.11.38 and 2.0.0-RC.3. Defenders should prioritize patching and monitoring for suspicious outbound HTTP requests originating from the Chamilo LMS server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Chamilo LMS platform with valid user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting an internal service or resource.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a POST request to the \u003ccode\u003eread_url_with_open_graph\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the crafted URL within the \u003ccode\u003esocial_wall_new_msg_main\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe Chamilo LMS server, without proper validation, processes the POST request.\u003c/li\u003e\n\u003cli\u003eThe server then makes an HTTP request to the attacker-supplied URL.\u003c/li\u003e\n\u003cli\u003eIf the URL targets an internal service, the attacker may gain unauthorized access or information.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to scan internal ports and potentially access cloud instance metadata, leading to further reconnaissance or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability could allow an attacker to gain unauthorized access to internal services and data within the organization\u0026rsquo;s network. An attacker could use this vulnerability to enumerate internal systems, gather sensitive information, and potentially escalate privileges within the network. This could also lead to lateral movement, data exfiltration, or other malicious activities. The severity of the impact depends on the sensitivity of the internal services exposed and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-31941.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/main/social/social_wall/social_wall.ajax.php\u003c/code\u003e with unusual URLs in the \u003ccode\u003esocial_wall_new_msg_main\u003c/code\u003e parameter to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect requests with unusual URLs to \u003ccode\u003esocial_wall.ajax.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-ssrf/","summary":"A Server-Side Request Forgery (SSRF) vulnerability exists in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3, allowing authenticated attackers to make arbitrary HTTP requests, scan internal ports, and access cloud instance metadata via the Social Wall feature.","title":"Chamilo LMS SSRF Vulnerability in Social Wall Feature","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-33710"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33710","chamilo","api-key","brute-force","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a popular learning management system, contains a vulnerability in versions prior to 1.11.38 and 2.0.0-RC.3 related to the generation of REST API keys (CVE-2026-33710). The API keys are generated using a flawed algorithm: \u003ccode\u003emd5(time() + (user_id * 5) - rand(10000, 10000))\u003c/code\u003e. Due to \u003ccode\u003erand(10000, 10000)\u003c/code\u003e always returning 10000, the formula simplifies to \u003ccode\u003emd5(timestamp + user_id*5 - 10000)\u003c/code\u003e. An attacker knowing a valid username and a rough estimate of when the API key was generated can brute-force the key due to the limited entropy. This vulnerability allows unauthorized access to the Chamilo LMS REST API. The vulnerability was reported and patched in versions 1.11.38 and 2.0.0-RC.3. This poses a significant threat to educational institutions and organizations using vulnerable versions of Chamilo LMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target Chamilo LMS instance running a vulnerable version (prior to 1.11.38 or 2.0.0-RC.3).\u003c/li\u003e\n\u003cli\u003eAttacker obtains a valid username on the target Chamilo LMS instance through OSINT or credential stuffing.\u003c/li\u003e\n\u003cli\u003eAttacker estimates the API key creation time. This might be inferred from user activity or system logs.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a script to generate potential API keys based on the predictable formula \u003ccode\u003emd5(timestamp + user_id*5 - 10000)\u003c/code\u003e using the known username and estimated timestamp.\u003c/li\u003e\n\u003cli\u003eThe script iterates through a range of timestamps around the estimated creation time, generating corresponding MD5 hashes.\u003c/li\u003e\n\u003cli\u003eAttacker sends API requests with the generated API keys to the Chamilo LMS server.\u003c/li\u003e\n\u003cli\u003eThe server validates the API key against the user.\u003c/li\u003e\n\u003cli\u003eUpon successful validation, the attacker gains unauthorized access to the Chamilo LMS REST API, potentially allowing them to modify course content, access user data, or perform other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33710 can lead to unauthorized access to sensitive data within the Chamilo LMS, including user information, course materials, and grades. This could result in data breaches, academic fraud, and reputational damage for affected organizations. The vulnerability affects all organizations running vulnerable versions of Chamilo LMS; the number of victims is correlated to the number of vulnerable deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS installations to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-33710.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual API requests originating from unexpected IP addresses, especially those containing potentially valid API keys by deploying the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on API endpoints to mitigate brute-force attempts.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, consider temporarily disabling the REST API.\u003c/li\u003e\n\u003cli\u003eReview and audit user permissions within Chamilo LMS to minimize the impact of potential unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-api-key-bruteforce/","summary":"Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 generate predictable REST API keys, allowing attackers with knowledge of a username and approximate key creation time to brute-force access.","title":"Chamilo LMS REST API Key Brute-Force Vulnerability (CVE-2026-33710)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-api-key-bruteforce/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-32930"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["idor","chamilo","lms","cve-2026-32930"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability, identified as CVE-2026-32930. This flaw exists in the gradebook evaluation edit page. An authenticated teacher can exploit this vulnerability to view and modify the settings (name, max score, weight) of evaluations belonging to other courses. This is achieved by manipulating the \u003ccode\u003eediteval\u003c/code\u003e GET parameter. Successful exploitation allows unauthorized modification of gradebook settings, potentially affecting student grades and overall course integrity. The vulnerability was patched in versions 1.11.38 and 2.0.0-RC.3. This affects any Chamilo LMS instance running a vulnerable version accessible to authenticated users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to Chamilo LMS as a teacher.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the gradebook section of a course they have access to.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the URL used to edit an evaluation, noting the \u003ccode\u003eediteval\u003c/code\u003e parameter and its associated value.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eediteval\u003c/code\u003e parameter value to reference an evaluation ID from a different course.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the modified request to the Chamilo LMS server.\u003c/li\u003e\n\u003cli\u003eThe server, due to the IDOR vulnerability, processes the request without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to view and modify the settings (name, max score, weight) of the evaluation belonging to the other course.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the changes, which are then reflected in the gradebook of the targeted course.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-32930 can lead to unauthorized modification of gradebook evaluation settings. This could result in inaccurate grades, unfair assessment of students, and overall compromise of the learning environment\u0026rsquo;s integrity. Given that Chamilo LMS is used by educational institutions worldwide, a successful attack could affect a large number of students and teachers. The unauthorized changes could disrupt the educational process and erode trust in the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-32930, as indicated in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Chamilo Gradebook Edit Request\u003c/code\u003e to identify attempts to exploit this IDOR vulnerability by monitoring for suspicious \u003ccode\u003eediteval\u003c/code\u003e parameter modifications.\u003c/li\u003e\n\u003cli\u003eReview web server logs for requests containing the \u003ccode\u003eediteval\u003c/code\u003e parameter where the associated value appears out of sequence with the user\u0026rsquo;s course access, related to the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T18:16:42Z","date_published":"2026-04-10T18:16:42Z","id":"/briefs/2026-04-chamilo-idor/","summary":"An Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS (CVE-2026-32930) allows authenticated teachers to modify gradebook evaluation settings of other courses by manipulating the 'editeval' GET parameter, leading to unauthorized data modification.","title":"Chamilo LMS Insecure Direct Object Reference Vulnerability (CVE-2026-32930)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-idor/"}],"language":"en","title":"CraftedSignal Threat Feed — Chamilo","version":"https://jsonfeed.org/version/1.1"}