Primary

Context

Chamilo LMS Open Redirect Vulnerability in Session Course Edit Page

Vulnerability

Patched

An open redirect vulnerability has been identified in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. The issue resides in the session course edit page, where the application fails to properly validate the 'page' parameter. This flaw allows an attacker to redirect an authenticated administrator to an arbitrary external URL after changes are made to coach assignments. Additionally, the vulnerability leaks the 'id_session' parameter to the attacker's server.

Impact

Exploitation of this vulnerability would lead to an open redirect, causing an admin user to be sent to a malicious external site. This could be used for phishing attacks, especially if the redirected URL is made to look like a legitimate Chamilo login page.

Remediation

Users can upgrade to Chamilo LMS versions 1.11.38 or 2.0.0-RC.3 to address this vulnerability.

Added: Apr 10, 2026, 7:00 PM

Updated: Apr 10, 2026, 7:00 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.7

exploitability

7.0

remediation

7.7

relevance

5.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

2.7

exploitability

7.0

remediation

7.7

relevance

5.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Chamilo LMS Open Redirect Vulnerability in Session Course Edit Page

Vulnerability

Impact

Remediation

Affected Products

Chamilo LMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating