Chamilo LMS Insecure Direct Object Reference Vulnerability in Course Enrollment API

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in Chamilo LMS versions prior to 2.0.0-RC.3. The issue resides in the '/api/course_rel_users' endpoint, where an authenticated attacker can manipulate the user parameter in the request body to enroll any user into any course, bypassing authorization checks. The backend fails to validate whether the requester owns the user ID or has permission to act on behalf of other users, leading to unauthorized changes in user-course relationships. This could grant unintended access to course materials, bypass enrollment controls, and disrupt the integrity of the platform.

Impact

Exploitation of this vulnerability allows attackers to enroll users in courses without authorization, manipulate user-course relationships, and potentially access course materials or disrupt application integrity.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/course_rel_users' endpoint with a JSON payload that includes a user ID and a course ID. The request will be processed without any server-side authorization checks, allowing for unauthorized enrollment of users in courses.

Remediation

Users can update to Chamilo LMS version 2.0.0-RC.3 or later, where this vulnerability has been fixed.