SB20260424136 - Multiple vulnerabilities in Chamilo LMS



SB20260424136 - Multiple vulnerabilities in Chamilo LMS

Published: April 24, 2026

Security Bulletin ID SB20260424136
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2026-32893)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.

The vulnerability exists due to cross-site scripting in public/main/exercise/question_list_admin.inc.php when generating pagination links from user-supplied GET parameters. A remote user can send a specially crafted request to execute arbitrary JavaScript in a victim's browser.

User interaction is required, and exploitation occurs in an authenticated teacher's browser.


2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33141)

CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key in the REST API stats endpoint when handling GET requests for user and course statistics. A remote user can request statistics for arbitrary user IDs and course IDs to disclose sensitive information.

The issue affects learning progress, certificates, and gradebook scores, and does not require enrollment or a supervisory relationship to access the requested records.


Remediation

Install update from vendor's website.