Chamilo LMS Privilege Escalation Vulnerability in User Role Modification API Endpoint

A privilege escalation vulnerability has been identified in Chamilo LMS versions prior to 2.0.0-RC.3. The issue resides in the PUT /api/users/{id} endpoint, where an insecure direct object modification allows authenticated users with ROLE_STUDENT to change their roles to ROLE_ADMIN. This exploitation is possible because the API's security check only verifies ownership of the record, not the integrity of the roles being assigned. As a result, any user can grant themselves administrative privileges, leading to full control over the platform, including access to all courses, user data, grades, and administrative settings.

Impact

Exploitation of this vulnerability allows any student to gain administrative rights on the platform, with full access to courses, user information, grades, and admin settings. Additionally, according to Chamilo, this could lead to remote code execution.

Remediation

Users can upgrade to Chamilo LMS version 2.0.0-RC.3 or later to address this vulnerability.