{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/session-fixation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-31940"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["session-fixation","web-application","cve-2026-31940"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eChamilo LMS, a learning management system, is susceptible to a session fixation vulnerability (CVE-2026-31940) in versions prior to 1.11.38 and 2.0.0-RC.3. The vulnerability stems from the application\u0026rsquo;s handling of user-controlled request parameters in the \u003ccode\u003emain/lp/aicc_hacp.php\u003c/code\u003e file. Specifically, these parameters are used directly to set the PHP session ID before the global bootstrap is loaded. This allows an attacker to potentially set a predictable session ID for a user, leading to session hijacking. The vulnerability was reported and patched, with fixes available in versions 1.11.38 and 2.0.0-RC.3. This is important for defenders to address to ensure integrity and confidentiality of user sessions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious URL or form containing a specific session ID.\u003c/li\u003e\n\u003cli\u003eAttacker lures a victim to access the crafted URL or form.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser sends a request to the Chamilo LMS server with the attacker-controlled session ID.\u003c/li\u003e\n\u003cli\u003eThe Chamilo LMS application, specifically the \u003ccode\u003emain/lp/aicc_hacp.php\u003c/code\u003e script, uses the attacker-provided session ID to initialize the PHP session.\u003c/li\u003e\n\u003cli\u003eThe victim authenticates to the Chamilo LMS application.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the predetermined session ID to access the victim\u0026rsquo;s authenticated session.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized access to the victim\u0026rsquo;s account and associated data within the Chamilo LMS.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to hijack legitimate user sessions on a Chamilo LMS instance. This could result in unauthorized access to sensitive student or instructor data, modification of course content, or other malicious activities. The impact is high, particularly for educational institutions and organizations that rely on Chamilo LMS for their online learning platforms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later to patch CVE-2026-31940.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u003ccode\u003emain/lp/aicc_hacp.php\u003c/code\u003e containing unusual session ID parameters. Use the provided Sigma rule to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement the \u0026ldquo;Detect Potentially Malicious Session ID Parameter\u0026rdquo; Sigma rule to identify exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-11T14:30:00Z","date_published":"2026-04-11T14:30:00Z","id":"/briefs/2026-04-chamilo-session-fixation/","summary":"Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 are vulnerable to session fixation due to user-controlled request parameters being used to set the PHP session ID, potentially allowing attackers to hijack user sessions.","title":"Chamilo LMS Session Fixation Vulnerability (CVE-2026-31940)","url":"https://feed.craftedsignal.io/briefs/2026-04-chamilo-session-fixation/"}],"language":"en","title":"CraftedSignal Threat Feed — Session-Fixation","version":"https://jsonfeed.org/version/1.1"}