Chamilo LMS Insecure Direct Object Reference Vulnerability in Learning Path Progress Saving Endpoint

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. This vulnerability exists in the Learning Path progress saving endpoint, specifically within the file 'lp_ajax_save_item.php'. The issue arises because the endpoint accepts a user ID parameter from the request without proper validation, allowing any authenticated user enrolled in a course to modify another user's Learning Path progress, including scores, statuses, completion times, and more.

Impact

Exploitation of this vulnerability allows for unauthorized modification of another user's Learning Path progress data, including scores, statuses, and completion times.

Reproduction

To reproduce this vulnerability, an authenticated user enrolled in a course can send a request to the 'lp_ajax_save_item.php' endpoint. The request must include a 'uid' parameter specifying the user ID of the target user whose progress is to be modified. Since the endpoint does not verify that the requesting user matches the specified user ID, the attacker's user ID can be used to overwrite the target user's Learning Path progress.

Remediation

Users can update to Chamilo LMS versions 1.11.38 or 2.0.0-RC.3, where this vulnerability has been fixed.