Chamilo LMS Insecure Direct Object Reference Vulnerability in Gradebook Evaluation Editing

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. This vulnerability exists on the gradebook evaluation edit page, where authenticated teachers can manipulate the 'editeval' GET parameter to access and modify evaluation settings (such as name, maximum score, and weight) for evaluations in other courses. The issue arises because the evaluation ID is loaded without proper validation of course ownership, allowing unauthorized changes to be made.

Impact

Exploitation of this vulnerability allows unauthorized teachers to view and alter evaluation details in any course, potentially violating academic integrity by tampering with grading criteria. Additionally, when combined with another vulnerability (CVE Candidate #004), it could enable deletion of evaluation results.

Reproduction

To reproduce this vulnerability, an authenticated teacher can navigate to the gradebook evaluation edit page and manipulate the 'editeval' GET parameter to include the ID of an evaluation from a different course. The absence of course ownership validation will allow the teacher to access and modify the evaluation settings.

Remediation

Users can update to Chamilo LMS versions 1.11.38 or 2.0.0-RC.3 to address this vulnerability.