{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.4,"id":"CVE-2026-33707"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-33707","chamilo","lms","password-reset","credential-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a widely used learning management system, is susceptible to a critical vulnerability (CVE-2026-33707) affecting versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability lies within the default password reset mechanism, which generates password reset tokens by applying SHA1 hashing directly to user email addresses. This flawed process lacks essential security measures, including the addition of random salts, token expiration, and rate limiting. An attacker who obtains a target user\u0026rsquo;s email address can calculate the password reset token and gain unauthorized access to the user\u0026rsquo;s account, bypassing authentication controls. The vulnerability was publicly disclosed in April 2026 and patched in versions 1.11.38 and 2.0.0-RC.3. Organizations using vulnerable versions of Chamilo LMS are at high risk of account compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a valid email address associated with a Chamilo LMS user. This information may be obtained through OSINT or data breaches.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the password reset page of the Chamilo LMS instance.\u003c/li\u003e\n\u003cli\u003eThe attacker enters the victim\u0026rsquo;s email address into the password reset form.\u003c/li\u003e\n\u003cli\u003eThe system generates a password reset token by applying SHA1 to the victim\u0026rsquo;s email address without any salt or random component.\u003c/li\u003e\n\u003cli\u003eThe attacker computes the SHA1 hash of the victim\u0026rsquo;s email address offline.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the computed SHA1 hash as the password reset token in a crafted request to the password reset confirmation endpoint.\u003c/li\u003e\n\u003cli\u003eThe Chamilo LMS instance validates the attacker-supplied token against the SHA1 hash of the email.\u003c/li\u003e\n\u003cli\u003eThe attacker sets a new password for the victim\u0026rsquo;s account and gains full access to the compromised account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33707 allows an attacker to take complete control of user accounts within the Chamilo LMS platform. This can lead to data breaches, modification of course content, disruption of educational activities, and potential reputational damage for the affected institution. The lack of rate limiting on password reset requests can allow for automated account takeover attempts affecting many users. Given the widespread use of Chamilo LMS in educational institutions and organizations globally, the potential impact is significant.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade Chamilo LMS installations to version 1.11.38 or 2.0.0-RC.3 to remediate CVE-2026-33707.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on password reset requests to mitigate automated attacks attempting to exploit this vulnerability (reference: Overview section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules below to detect attempts to exploit this vulnerability by monitoring password reset requests (reference: rules section).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious password reset requests originating from unusual IPs or with unusually high frequency (reference: rules logsource).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-lms-weak-password-reset/","summary":"Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to a weak password reset mechanism, allowing attackers to compute password reset tokens using only a user's email address due to the use of SHA1 hashing without randomization, expiration, or rate limiting, leading to unauthorized account takeover.","title":"Chamilo LMS Weak Password Reset Vulnerability (CVE-2026-33707)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-lms-weak-password-reset/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-31941"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["chamilo","ssrf","cve-2026-31941","lms"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a learning management system, is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 1.11.38 and 2.0.0-RC.3. This vulnerability resides in the Social Wall feature, specifically the \u003ccode\u003eread_url_with_open_graph\u003c/code\u003e endpoint. By supplying a crafted URL via the \u003ccode\u003esocial_wall_new_msg_main\u003c/code\u003e POST parameter, an authenticated attacker can force the Chamilo LMS server to make arbitrary HTTP requests. This SSRF can be leveraged to probe internal services, perform port scanning on the internal network, and potentially access sensitive cloud instance metadata. The vulnerability was patched in versions 1.11.38 and 2.0.0-RC.3. Defenders should prioritize patching and monitoring for suspicious outbound HTTP requests originating from the Chamilo LMS server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Chamilo LMS platform with valid user credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting an internal service or resource.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a POST request to the \u003ccode\u003eread_url_with_open_graph\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the crafted URL within the \u003ccode\u003esocial_wall_new_msg_main\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe Chamilo LMS server, without proper validation, processes the POST request.\u003c/li\u003e\n\u003cli\u003eThe server then makes an HTTP request to the attacker-supplied URL.\u003c/li\u003e\n\u003cli\u003eIf the URL targets an internal service, the attacker may gain unauthorized access or information.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to scan internal ports and potentially access cloud instance metadata, leading to further reconnaissance or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability could allow an attacker to gain unauthorized access to internal services and data within the organization\u0026rsquo;s network. An attacker could use this vulnerability to enumerate internal systems, gather sensitive information, and potentially escalate privileges within the network. This could also lead to lateral movement, data exfiltration, or other malicious activities. The severity of the impact depends on the sensitivity of the internal services exposed and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-31941.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF attacks.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/main/social/social_wall/social_wall.ajax.php\u003c/code\u003e with unusual URLs in the \u003ccode\u003esocial_wall_new_msg_main\u003c/code\u003e parameter to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect requests with unusual URLs to \u003ccode\u003esocial_wall.ajax.php\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T12:00:00Z","date_published":"2026-04-11T12:00:00Z","id":"/briefs/2026-04-chamilo-ssrf/","summary":"A Server-Side Request Forgery (SSRF) vulnerability exists in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3, allowing authenticated attackers to make arbitrary HTTP requests, scan internal ports, and access cloud instance metadata via the Social Wall feature.","title":"Chamilo LMS SSRF Vulnerability in Social Wall Feature","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-ssrf/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-32930"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["idor","chamilo","lms","cve-2026-32930"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability, identified as CVE-2026-32930. This flaw exists in the gradebook evaluation edit page. An authenticated teacher can exploit this vulnerability to view and modify the settings (name, max score, weight) of evaluations belonging to other courses. This is achieved by manipulating the \u003ccode\u003eediteval\u003c/code\u003e GET parameter. Successful exploitation allows unauthorized modification of gradebook settings, potentially affecting student grades and overall course integrity. The vulnerability was patched in versions 1.11.38 and 2.0.0-RC.3. This affects any Chamilo LMS instance running a vulnerable version accessible to authenticated users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to Chamilo LMS as a teacher.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the gradebook section of a course they have access to.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the URL used to edit an evaluation, noting the \u003ccode\u003eediteval\u003c/code\u003e parameter and its associated value.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eediteval\u003c/code\u003e parameter value to reference an evaluation ID from a different course.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the modified request to the Chamilo LMS server.\u003c/li\u003e\n\u003cli\u003eThe server, due to the IDOR vulnerability, processes the request without proper authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker is able to view and modify the settings (name, max score, weight) of the evaluation belonging to the other course.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the changes, which are then reflected in the gradebook of the targeted course.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-32930 can lead to unauthorized modification of gradebook evaluation settings. This could result in inaccurate grades, unfair assessment of students, and overall compromise of the learning environment\u0026rsquo;s integrity. Given that Chamilo LMS is used by educational institutions worldwide, a successful attack could affect a large number of students and teachers. The unauthorized changes could disrupt the educational process and erode trust in the system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-32930, as indicated in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Chamilo Gradebook Edit Request\u003c/code\u003e to identify attempts to exploit this IDOR vulnerability by monitoring for suspicious \u003ccode\u003eediteval\u003c/code\u003e parameter modifications.\u003c/li\u003e\n\u003cli\u003eReview web server logs for requests containing the \u003ccode\u003eediteval\u003c/code\u003e parameter where the associated value appears out of sequence with the user\u0026rsquo;s course access, related to the Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-10T18:16:42Z","date_published":"2026-04-10T18:16:42Z","id":"/briefs/2026-04-chamilo-idor/","summary":"An Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS (CVE-2026-32930) allows authenticated teachers to modify gradebook evaluation settings of other courses by manipulating the 'editeval' GET parameter, leading to unauthorized data modification.","title":"Chamilo LMS Insecure Direct Object Reference Vulnerability (CVE-2026-32930)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-idor/"}],"language":"en","title":"CraftedSignal Threat Feed — Lms","version":"https://jsonfeed.org/version/1.1"}