Chamilo LMS Insecure Direct Object Reference Vulnerability Allowing Mass Disclosure of Personal Data and API Tokens

A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified in Chamilo LMS versions prior to 2.0.0-RC.3. The vulnerability exists in the /social-network/personal-data/{userId} endpoint, where any authenticated user can access the full personal data and API tokens of other users by altering the userId parameter. This flaw, which stems from inadequate authorization checks, leads to a significant breach of sensitive user information and credentials, potentially compromising the entire platform.

Impact

Exploitation of this vulnerability allows for unrestricted access to the personal data of all users on the platform, including administrators. The exposed data includes usernames, email addresses, phone numbers, physical addresses, gender, locale, timezone, biographies, last login timestamps, roles, and API tokens. This mass disclosure of Personally Identifiable Information (PII) and sensitive credentials could facilitate further attacks or abuses within the platform.