https://feed.craftedsignal.io/tags/lms/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 11 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-chamilo-lms-weak-password-reset/Sat, 11 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chamilo-lms-weak-password-reset/Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to a weak password reset mechanism, allowing attackers to compute password reset tokens using only a user's email address due to the use of SHA1 hashing without randomization, expiration, or rate limiting, leading to unauthorized account takeover.Chamilo LMS, a widely used learning management system, is susceptible to a critical vulnerability (CVE-2026-33707) affecting versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability lies within the default password reset mechanism, which generates password reset tokens by applying SHA1 hashing directly to user email addresses. This flawed process lacks essential security measures, including the addition of random salts, token expiration, and rate limiting. An attacker who obtains a target user’s email address can calculate the password reset token and gain unauthorized access to the user’s account, bypassing authentication controls. The vulnerability was publicly disclosed in April 2026 and patched in versions 1.11.38 and 2.0.0-RC.3. Organizations using vulnerable versions of Chamilo LMS are at high risk of account compromise.

Attack Chain

1. The attacker identifies a valid email address associated with a Chamilo LMS user. This information may be obtained through OSINT or data breaches.
2. The attacker navigates to the password reset page of the Chamilo LMS instance.
3. The attacker enters the victim’s email address into the password reset form.
4. The system generates a password reset token by applying SHA1 to the victim’s email address without any salt or random component.
5. The attacker computes the SHA1 hash of the victim’s email address offline.
6. The attacker uses the computed SHA1 hash as the password reset token in a crafted request to the password reset confirmation endpoint.
7. The Chamilo LMS instance validates the attacker-supplied token against the SHA1 hash of the email.
8. The attacker sets a new password for the victim’s account and gains full access to the compromised account.

Impact

Successful exploitation of CVE-2026-33707 allows an attacker to take complete control of user accounts within the Chamilo LMS platform. This can lead to data breaches, modification of course content, disruption of educational activities, and potential reputational damage for the affected institution. The lack of rate limiting on password reset requests can allow for automated account takeover attempts affecting many users. Given the widespread use of Chamilo LMS in educational institutions and organizations globally, the potential impact is significant.

Recommendation

• Immediately upgrade Chamilo LMS installations to version 1.11.38 or 2.0.0-RC.3 to remediate CVE-2026-33707.
• Implement rate limiting on password reset requests to mitigate automated attacks attempting to exploit this vulnerability (reference: Overview section).
• Deploy the Sigma rules below to detect attempts to exploit this vulnerability by monitoring password reset requests (reference: rules section).
• Monitor web server logs for suspicious password reset requests originating from unusual IPs or with unusually high frequency (reference: rules logsource).

]]>criticaladvisoryCVE-2026-33707chamilolmspassword-resetcredential-accesshttps://feed.craftedsignal.io/briefs/2026-04-chamilo-ssrf/Sat, 11 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chamilo-ssrf/A Server-Side Request Forgery (SSRF) vulnerability exists in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3, allowing authenticated attackers to make arbitrary HTTP requests, scan internal ports, and access cloud instance metadata via the Social Wall feature.Chamilo LMS, a learning management system, is vulnerable to Server-Side Request Forgery (SSRF) in versions prior to 1.11.38 and 2.0.0-RC.3. This vulnerability resides in the Social Wall feature, specifically the read_url_with_open_graph endpoint. By supplying a crafted URL via the social_wall_new_msg_main POST parameter, an authenticated attacker can force the Chamilo LMS server to make arbitrary HTTP requests. This SSRF can be leveraged to probe internal services, perform port scanning on the internal network, and potentially access sensitive cloud instance metadata. The vulnerability was patched in versions 1.11.38 and 2.0.0-RC.3. Defenders should prioritize patching and monitoring for suspicious outbound HTTP requests originating from the Chamilo LMS server.

Attack Chain

1. An attacker authenticates to the Chamilo LMS platform with valid user credentials.
2. The attacker crafts a malicious URL targeting an internal service or resource.
3. The attacker initiates a POST request to the read_url_with_open_graph endpoint.
4. The POST request includes the crafted URL within the social_wall_new_msg_main parameter.
5. The Chamilo LMS server, without proper validation, processes the POST request.
6. The server then makes an HTTP request to the attacker-supplied URL.
7. If the URL targets an internal service, the attacker may gain unauthorized access or information.
8. Successful exploitation allows the attacker to scan internal ports and potentially access cloud instance metadata, leading to further reconnaissance or lateral movement.

Impact

Successful exploitation of this SSRF vulnerability could allow an attacker to gain unauthorized access to internal services and data within the organization’s network. An attacker could use this vulnerability to enumerate internal systems, gather sensitive information, and potentially escalate privileges within the network. This could also lead to lateral movement, data exfiltration, or other malicious activities. The severity of the impact depends on the sensitivity of the internal services exposed and the attacker’s objectives.

Recommendation

• Upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-31941.
• Implement network segmentation to limit the impact of potential SSRF attacks.
• Monitor web server logs for POST requests to /main/social/social_wall/social_wall.ajax.php with unusual URLs in the social_wall_new_msg_main parameter to detect potential exploitation attempts.
• Deploy the Sigma rule to detect requests with unusual URLs to social_wall.ajax.php.

]]>highadvisorychamilossrfcve-2026-31941lmshttps://feed.craftedsignal.io/briefs/2026-04-chamilo-idor/Fri, 10 Apr 2026 18:16:42 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-chamilo-idor/An Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS (CVE-2026-32930) allows authenticated teachers to modify gradebook evaluation settings of other courses by manipulating the 'editeval' GET parameter, leading to unauthorized data modification.Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability, identified as CVE-2026-32930. This flaw exists in the gradebook evaluation edit page. An authenticated teacher can exploit this vulnerability to view and modify the settings (name, max score, weight) of evaluations belonging to other courses. This is achieved by manipulating the editeval GET parameter. Successful exploitation allows unauthorized modification of gradebook settings, potentially affecting student grades and overall course integrity. The vulnerability was patched in versions 1.11.38 and 2.0.0-RC.3. This affects any Chamilo LMS instance running a vulnerable version accessible to authenticated users.

Attack Chain

1. An attacker authenticates to Chamilo LMS as a teacher.
2. The attacker navigates to the gradebook section of a course they have access to.
3. The attacker identifies the URL used to edit an evaluation, noting the editeval parameter and its associated value.
4. The attacker modifies the editeval parameter value to reference an evaluation ID from a different course.
5. The attacker submits the modified request to the Chamilo LMS server.
6. The server, due to the IDOR vulnerability, processes the request without proper authorization checks.
7. The attacker is able to view and modify the settings (name, max score, weight) of the evaluation belonging to the other course.
8. The attacker saves the changes, which are then reflected in the gradebook of the targeted course.

Impact

The successful exploitation of CVE-2026-32930 can lead to unauthorized modification of gradebook evaluation settings. This could result in inaccurate grades, unfair assessment of students, and overall compromise of the learning environment’s integrity. Given that Chamilo LMS is used by educational institutions worldwide, a successful attack could affect a large number of students and teachers. The unauthorized changes could disrupt the educational process and erode trust in the system.

Recommendation

• Upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-32930, as indicated in the overview.
• Deploy the Sigma rule Detect Chamilo Gradebook Edit Request to identify attempts to exploit this IDOR vulnerability by monitoring for suspicious editeval parameter modifications.
• Review web server logs for requests containing the editeval parameter where the associated value appears out of sequence with the user’s course access, related to the Sigma rule.

]]>highadvisoryidorchamilolmscve-2026-32930