https://feed.craftedsignal.io/tags/chamilo/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 11 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-chamilo-lms-weak-password-reset/Sat, 11 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chamilo-lms-weak-password-reset/Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to a weak password reset mechanism, allowing attackers to compute password reset tokens using only a user's email address due to the use of SHA1 hashing without randomization, expiration, or rate limiting, leading to unauthorized account takeover.Chamilo LMS, a widely used learning management system, is susceptible to a critical vulnerability (CVE-2026-33707) affecting versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability lies within the default password reset mechanism, which generates password reset tokens by applying SHA1 hashing directly to user email addresses. This flawed process lacks essential security measures, including the addition of random salts, token expiration, and rate limiting. An attacker who obtains a target user’s email address can calculate the password reset token and gain unauthorized access to the user’s account, bypassing authentication controls. The vulnerability was publicly disclosed in April 2026 and patched in versions 1.11.38 and 2.0.0-RC.3. Organizations using vulnerable versions of Chamilo LMS are at high risk of account compromise.

Attack Chain

1. The attacker identifies a valid email address associated with a Chamilo LMS user. This information may be obtained through OSINT or data breaches.
2. The attacker navigates to the password reset page of the Chamilo LMS instance.
3. The attacker enters the victim’s email address into the password reset form.
4. The system generates a password reset token by applying SHA1 to the victim’s email address without any salt or random component.
5. The attacker computes the SHA1 hash of the victim’s email address offline.
6. The attacker uses the computed SHA1 hash as the password reset token in a crafted request to the password reset confirmation endpoint.
7. The Chamilo LMS instance validates the attacker-supplied token against the SHA1 hash of the email.
8. The attacker sets a new password for the victim’s account and gains full access to the compromised account.

Impact

Successful exploitation of CVE-2026-33707 allows an attacker to take complete control of user accounts within the Chamilo LMS platform. This can lead to data breaches, modification of course content, disruption of educational activities, and potential reputational damage for the affected institution. The lack of rate limiting on password reset requests can allow for automated account takeover attempts affecting many users. Given the widespread use of Chamilo LMS in educational institutions and organizations globally, the potential impact is significant.

Recommendation

• Immediately upgrade Chamilo LMS installations to version 1.11.38 or 2.0.0-RC.3 to remediate CVE-2026-33707.
• Implement rate limiting on password reset requests to mitigate automated attacks attempting to exploit this vulnerability (reference: Overview section).
• Deploy the Sigma rules below to detect attempts to exploit this vulnerability by monitoring password reset requests (reference: rules section).
• Monitor web server logs for suspicious password reset requests originating from unusual IPs or with unusually high frequency (reference: rules logsource).

]]>criticaladvisoryCVE-2026-33707chamilolmspassword-resetcredential-accesshttps://feed.craftedsignal.io/briefs/2026-04-chamilo-rce/Sat, 11 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chamilo-rce/Chamilo LMS versions prior to 2.0.0-RC.3 are vulnerable to remote code execution (RCE) via eval injection, where an authenticated administrator can inject arbitrary PHP code into platform settings that is then executed when any user (including unauthenticated) requests the /platform-config/list endpoint.Chamilo LMS is a widely used open-source learning management system. CVE-2026-33618 affects versions prior to 2.0.0-RC.3. The vulnerability lies within the PlatformConfigurationController::decodeSettingArray() method, which unsafely uses PHP’s eval() function to parse platform settings retrieved from the database. An attacker who has already gained administrative access to the Chamilo LMS platform can inject arbitrary PHP code into these settings. This injected code is then executed whenever any user, including unauthenticated users, makes a request to the /platform-config/list endpoint. This allows for unauthenticated remote code execution, making it a critical vulnerability for organizations using affected versions of Chamilo LMS.

Attack Chain

1. Attacker gains administrative access to the Chamilo LMS instance (potentially through a separate vulnerability or compromised credentials).
2. Attacker navigates to the platform configuration settings page within the Chamilo LMS admin panel.
3. Attacker injects malicious PHP code into a configurable setting field. This code is designed to execute arbitrary commands on the server.
4. The injected PHP code is saved to the Chamilo LMS database.
5. An unauthenticated user makes a request to the /platform-config/list endpoint.
6. The PlatformConfigurationController::decodeSettingArray() method is called to process the platform settings from the database.
7. The eval() function executes the attacker’s injected PHP code.
8. The attacker achieves remote code execution on the Chamilo LMS server, enabling them to potentially compromise the entire system and connected networks.

Impact

Successful exploitation of CVE-2026-33618 allows an attacker to execute arbitrary PHP code on the Chamilo LMS server. This can lead to full system compromise, data exfiltration, defacement, or denial-of-service. Given that Chamilo LMS is used by educational institutions and organizations worldwide, a successful attack could impact thousands of users and expose sensitive student or employee data. The vulnerability’s ease of exploitation, requiring only admin access and an unauthenticated request to a specific endpoint, makes it a highly attractive target for malicious actors.

Recommendation

• Immediately upgrade Chamilo LMS instances to version 2.0.0-RC.3 or later to patch CVE-2026-33618.
• Monitor web server logs for requests to the /platform-config/list endpoint originating from unusual IP addresses or user agents using the Sigma rule Chamilo_Suspicious_PlatformConfig_Access.
• Implement the Sigma rule Chamilo_Eval_Based_Code_Execution to detect potential exploitation attempts based on unusual PHP processes spawned from the web server.
• Review and audit all Chamilo LMS administrative accounts for suspicious activity to prevent initial access to vulnerable configuration settings.

]]>criticaladvisorychamilorceeval-injectioncve-2026-33618https://feed.craftedsignal.io/briefs/2026-04-chamilo-ssrf/Sat, 11 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chamilo-ssrf/A Server-Side Request Forgery (SSRF) vulnerability exists in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3, allowing authenticated attackers to make arbitrary HTTP requests, scan internal ports, and access cloud instance metadata via the Social Wall feature.Chamilo LMS, a learning management system, is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 1.11.38 and 2.0.0-RC.3. This vulnerability resides in the Social Wall feature, specifically the read_url_with_open_graph endpoint. By supplying a crafted URL via the social_wall_new_msg_main POST parameter, an authenticated attacker can force the Chamilo LMS server to make arbitrary HTTP requests. This SSRF can be leveraged to probe internal services, perform port scanning on the internal network, and potentially access sensitive cloud instance metadata. The vulnerability was patched in versions 1.11.38 and 2.0.0-RC.3. Defenders should prioritize patching and monitoring for suspicious outbound HTTP requests originating from the Chamilo LMS server.

Attack Chain

1. An attacker authenticates to the Chamilo LMS platform with valid user credentials.
2. The attacker crafts a malicious URL targeting an internal service or resource.
3. The attacker initiates a POST request to the read_url_with_open_graph endpoint.
4. The POST request includes the crafted URL within the social_wall_new_msg_main parameter.
5. The Chamilo LMS server, without proper validation, processes the POST request.
6. The server then makes an HTTP request to the attacker-supplied URL.
7. If the URL targets an internal service, the attacker may gain unauthorized access or information.
8. Successful exploitation allows the attacker to scan internal ports and potentially access cloud instance metadata, leading to further reconnaissance or lateral movement.

Impact

Successful exploitation of this SSRF vulnerability could allow an attacker to gain unauthorized access to internal services and data within the organization’s network. An attacker could use this vulnerability to enumerate internal systems, gather sensitive information, and potentially escalate privileges within the network. This could also lead to lateral movement, data exfiltration, or other malicious activities. The severity of the impact depends on the sensitivity of the internal services exposed and the attacker’s objectives.

Recommendation

• Upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-31941.
• Implement network segmentation to limit the impact of potential SSRF attacks.
• Monitor web server logs for POST requests to /main/social/social_wall/social_wall.ajax.php with unusual URLs in the social_wall_new_msg_main parameter to detect potential exploitation attempts.
• Deploy the Sigma rule to detect requests with unusual URLs to social_wall.ajax.php.

]]>highadvisorychamilossrfcve-2026-31941lmshttps://feed.craftedsignal.io/briefs/2026-04-chamilo-api-key-bruteforce/Sat, 11 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chamilo-api-key-bruteforce/Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 generate predictable REST API keys, allowing attackers with knowledge of a username and approximate key creation time to brute-force access.Chamilo LMS, a popular learning management system, contains a vulnerability in versions prior to 1.11.38 and 2.0.0-RC.3 related to the generation of REST API keys (CVE-2026-33710). The API keys are generated using a flawed algorithm: md5(time() + (user_id * 5) - rand(10000, 10000)). Due to rand(10000, 10000) always returning 10000, the formula simplifies to md5(timestamp + user_id*5 - 10000). An attacker knowing a valid username and a rough estimate of when the API key was generated can brute-force the key due to the limited entropy. This vulnerability allows unauthorized access to the Chamilo LMS REST API. The vulnerability was reported and patched in versions 1.11.38 and 2.0.0-RC.3. This poses a significant threat to educational institutions and organizations using vulnerable versions of Chamilo LMS.

Attack Chain

1. Attacker identifies a target Chamilo LMS instance running a vulnerable version (prior to 1.11.38 or 2.0.0-RC.3).
2. Attacker obtains a valid username on the target Chamilo LMS instance through OSINT or credential stuffing.
3. Attacker estimates the API key creation time. This might be inferred from user activity or system logs.
4. Attacker crafts a script to generate potential API keys based on the predictable formula md5(timestamp + user_id*5 - 10000) using the known username and estimated timestamp.
5. The script iterates through a range of timestamps around the estimated creation time, generating corresponding MD5 hashes.
6. Attacker sends API requests with the generated API keys to the Chamilo LMS server.
7. The server validates the API key against the user.
8. Upon successful validation, the attacker gains unauthorized access to the Chamilo LMS REST API, potentially allowing them to modify course content, access user data, or perform other malicious actions.

Impact

Successful exploitation of CVE-2026-33710 can lead to unauthorized access to sensitive data within the Chamilo LMS, including user information, course materials, and grades. This could result in data breaches, academic fraud, and reputational damage for affected organizations. The vulnerability affects all organizations running vulnerable versions of Chamilo LMS; the number of victims is correlated to the number of vulnerable deployments.

Recommendation

• Upgrade Chamilo LMS installations to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-33710.
• Monitor web server logs for unusual API requests originating from unexpected IP addresses, especially those containing potentially valid API keys by deploying the provided Sigma rule.
• Implement rate limiting on API endpoints to mitigate brute-force attempts.
• If upgrading is not immediately feasible, consider temporarily disabling the REST API.
• Review and audit user permissions within Chamilo LMS to minimize the impact of potential unauthorized access.

]]>highadvisorycve-2026-33710chamiloapi-keybrute-forcewebserverhttps://feed.craftedsignal.io/briefs/2026-04-chamilo-idor/Fri, 10 Apr 2026 18:16:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chamilo-idor/An Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS (CVE-2026-32930) allows authenticated teachers to modify gradebook evaluation settings of other courses by manipulating the 'editeval' GET parameter, leading to unauthorized data modification.Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability, identified as CVE-2026-32930. This flaw exists in the gradebook evaluation edit page. An authenticated teacher can exploit this vulnerability to view and modify the settings (name, max score, weight) of evaluations belonging to other courses. This is achieved by manipulating the editeval GET parameter. Successful exploitation allows unauthorized modification of gradebook settings, potentially affecting student grades and overall course integrity. The vulnerability was patched in versions 1.11.38 and 2.0.0-RC.3. This affects any Chamilo LMS instance running a vulnerable version accessible to authenticated users.

Attack Chain

1. An attacker authenticates to Chamilo LMS as a teacher.
2. The attacker navigates to the gradebook section of a course they have access to.
3. The attacker identifies the URL used to edit an evaluation, noting the editeval parameter and its associated value.
4. The attacker modifies the editeval parameter value to reference an evaluation ID from a different course.
5. The attacker submits the modified request to the Chamilo LMS server.
6. The server, due to the IDOR vulnerability, processes the request without proper authorization checks.
7. The attacker is able to view and modify the settings (name, max score, weight) of the evaluation belonging to the other course.
8. The attacker saves the changes, which are then reflected in the gradebook of the targeted course.

Impact

The successful exploitation of CVE-2026-32930 can lead to unauthorized modification of gradebook evaluation settings. This could result in inaccurate grades, unfair assessment of students, and overall compromise of the learning environment’s integrity. Given that Chamilo LMS is used by educational institutions worldwide, a successful attack could affect a large number of students and teachers. The unauthorized changes could disrupt the educational process and erode trust in the system.

Recommendation

• Upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-32930, as indicated in the overview.
• Deploy the Sigma rule Detect Chamilo Gradebook Edit Request to identify attempts to exploit this IDOR vulnerability by monitoring for suspicious editeval parameter modifications.
• Review web server logs for requests containing the editeval parameter where the associated value appears out of sequence with the user’s course access, related to the Sigma rule.

]]>highadvisoryidorchamilolmscve-2026-32930