Primary

Context

Chamilo LMS REST API Personal Information Exposure Vulnerability

Vulnerability

Patched

A vulnerability in Chamilo LMS prior to version 1.11.38 allows any authenticated user, including students, to access personal information of other users through the get_user_info_from_username REST API endpoint. The exposed data includes email addresses, first names, last names, user IDs, and active status. This issue arises from a lack of authorization checks, enabling unauthorized data access via the API.

Impact

This vulnerability allows authenticated users to collect personal information from all users, including email addresses and real names. Such data exposure could lead to targeted phishing and social engineering attacks. Additionally, when combined with other vulnerabilities in Chamilo LMS, it could facilitate account takeover, particularly for admin users.

Remediation

Users can update to Chamilo LMS version 1.11.38 or later, where this vulnerability has been fixed.

Added: Apr 10, 2026, 7:22 PM

Updated: Apr 10, 2026, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.7

remediation

7.7

relevance

5.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.7

remediation

7.7

relevance

5.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Chamilo LMS REST API Personal Information Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Chamilo LMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating