Volerion logoVolerion
Volerion logoVolerion

Chamilo LMS Notebook Module Insecure Direct Object Reference Vulnerability

Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the notebook module of Chamilo LMS, affecting versions prior to 2.0.0-RC.3. This vulnerability allows authenticated students to access the private course notes of other users by manipulating the notebook_id parameter in the editnote action. The application retrieves note content using only the provided ID, without verifying ownership, and displays the full title and HTML body in the edit form, which is then sent to the user's browser. While ownership checks are implemented for updating and deleting notes, they are completely missing for reading notes, creating a read-only IDOR that exposes private notes across the learning management system.

Impact

Exploitation of this vulnerability allows access to private study notes, exam preparation materials, instructor personal notes, and notes containing sensitive personal information that users believed was private.

Remediation

Users can update to Chamilo LMS version 2.0.0-RC.3, where this vulnerability has been fixed.

Added: Apr 15, 2026, 12:29 AM
Updated: Apr 15, 2026, 12:29 AM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
0.6
exploitability
5.4
remediation
7.7
relevance
5.9
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.