Chamilo LMS Weak REST API Key Generation Vulnerability Allowing Brute-Force Attacks

A vulnerability exists in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3, where REST API keys are generated using a predictable formula that can be exploited. The method combines the current timestamp, user ID, and a random number that is not truly random, as it always returns the same value. This predictability allows an attacker who knows a username and the approximate time the key was created to brute-force the API key. The vulnerability is particularly concerning because it can lead to unauthorized access and privilege escalation.

Impact

This vulnerability allows for the brute-forcing of any user's API key without needing to know their password. Successfully obtaining the API key can lead to unauthorized actions within the application, such as escalating privileges or accessing personal information, depending on the user's role.

Remediation

Users can update to Chamilo LMS versions 1.11.38 or 2.0.0-RC.3, where this vulnerability has been fixed.