Chamilo LMS Insecure Direct Object Reference Vulnerability in Gradebook Allowing Unauthorized Grade Deletion

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. This vulnerability exists in the gradebook result view page, where authenticated teachers can delete any student's grade across the platform. The issue arises from the absence of ownership or course-scope verification, allowing grades to be deleted by manipulating the delete_mark or resultdelete GET parameters. The vulnerability is fixed in versions 1.11.38 and 2.0.0-RC.3.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of student grade results across all courses, potentially leading to academic record destruction and legal consequences. Additionally, the vulnerability can be exploited to cause a denial-of-service by sending a request to delete a non-existent result, which triggers a PHP fatal error.

Reproduction

To reproduce this vulnerability, an authenticated teacher can send a request to the gradebook result view page with a manipulated delete_mark or resultdelete GET parameter. The absence of evaluation ID verification allows for the deletion of any student's grade result, regardless of the teacher's course affiliation. After exploitation, a request can be made with a resultdelete parameter referencing a non-existent result ID to trigger a PHP fatal error, causing a denial-of-service.

Remediation

Users can update to Chamilo LMS version 1.11.38 or 2.0.0-RC.3 to address this vulnerability.