CVE-2026-32894
7.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Summary
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference (IDOR) vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the delete_mark or resultdelete GET parameters. No ownership or course-scope verification is performed. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| chamilo | chamilo-lms | < 1.11.38 | affected |
| chamilo | chamilo-lms | >= 2.0.0-alpha.1, < 2.0.0-RC.3 | affected |
Weaknesses
- CWE-476: CWE-476: NULL Pointer Dereference
- CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rqpg-p95v-fv98
- https://github.com/chamilo/chamilo-lms/commit/3b03306d1a0301a81b9284e86893b27f518ab151
- https://github.com/chamilo/chamilo-lms/commit/740f5a6e192a52a3adde3c3241c86401b1d2c519
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.