Chamilo LMS REST API Self-Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in Chamilo LMS versions prior to 1.11.38. This issue allows any authenticated user with a REST API key to modify their own status field using the update_user_from_username endpoint. Specifically, a user with a student status (5) can change their status to Teacher/CourseManager (1), thereby gaining the ability to create and manage courses. The vulnerability arises because the update_user_from_username method does not properly validate status changes, allowing unauthorized modifications of sensitive user fields.

Impact

Exploiting this vulnerability allows a student to gain Teacher/CourseManager privileges, enabling them to create and manage courses, including grading students. Additionally, the user could alter various sensitive fields such as their authentication source and roles, undermining the platform's trust model by allowing unauthorized role assignments.

Remediation

Users can upgrade to Chamilo LMS version 1.11.38 or later to address this vulnerability.