Chamilo LMS Insecure Direct Object Reference Vulnerability in REST API Stats Endpoint

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Chamilo LMS versions prior to 2.0.0-RC.3. This vulnerability exists in the REST API stats endpoint, where any authenticated user, including low-privilege students with ROLE_USER, can access another user's learning progress, certificates, and gradebook scores for any course. The issue arises because the endpoint does not verify if the requesting user has the right to access the data, allowing unauthorized access to sensitive information.

Impact

Exploitation of this vulnerability allows any authenticated user to access another user's educational records, including grades, certificates, and progress. This exposure includes sensitive data protected under FERPA in the US and GDPR in the EU, enabling mass data extraction of all users' academic information. Additionally, the vulnerability could be used for user enumeration via the API users collection endpoint.

Remediation

Users can update to Chamilo LMS version 2.0.0-RC.3 or later, where this vulnerability has been fixed.