CVE-2024-50337
Unauthenticated Blind SSRF in Chamilo OpenId Before
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.28 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2024-50337 is a moderate severity unauthenticated blind Server-Side Request Forgery (SSRF) vulnerability in Chamilo LMS versions up to 1.11.26. It occurs in the OpenID login function, where an attacker can send a request to any URL on the server's behalf without authentication."}, {'type': 'paragraph', 'content': 'This happens because the OpenID login process does not properly validate the URL parameter, allowing attackers to specify arbitrary URLs. As a result, the server makes requests internally to those URLs, which can include internal services that are not accessible externally.'}, {'type': 'paragraph', 'content': 'The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and can be exploited by sending a crafted POST request with an `openid_url` parameter pointing to an internal resource, such as `http://localhost:8888`. The issue was fixed in Chamilo LMS version 1.11.28 by implementing SSRF prevention measures.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an attacker to make the Chamilo LMS server send requests to internal or otherwise inaccessible services on the server's network. Because the attacker does not need to be authenticated, they can probe internal resources that are normally protected."}, {'type': 'paragraph', 'content': 'The impact includes potential unauthorized access to internal services, which could lead to information disclosure or further exploitation depending on what internal services are reachable.'}, {'type': 'paragraph', 'content': 'However, the CVSS score indicates a moderate severity with low confidentiality impact and no impact on integrity or availability, meaning the vulnerability primarily risks limited information disclosure without directly affecting data integrity or system availability.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual POST requests to the OpenID login function containing a crafted `openid_url` parameter that points to internal or unauthorized URLs. Specifically, look for POST requests where the `openid_url` parameter is set to internal addresses such as `http://localhost:8888` or other internal services that should not be accessible externally.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze HTTP traffic to the Chamilo LMS server, focusing on POST requests to the OpenID login endpoint with suspicious `openid_url` values.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity using common tools:'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP POST requests to the server (replace <interface> and <server_ip>):\n`tcpdump -i <interface> host <server_ip> and tcp port 80 -A | grep 'POST'`"}, {'type': 'list_item', 'content': "Using grep on web server access logs to find POST requests to the OpenID login path:\n`grep 'POST /main/auth/openid/login.php' /var/log/apache2/access.log | grep openid_url`"}, {'type': 'list_item', 'content': "Using curl to test if the server is vulnerable by sending a crafted POST request:\n`curl -X POST -d 'openid_url=http://localhost:8888' https://<chamilo-server>/main/auth/openid/login.php -v`"}, {'type': 'paragraph', 'content': 'If the server responds or behaves as if it is making the internal request, it indicates the presence of the SSRF vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade Chamilo LMS to version 1.11.28 or later, where this vulnerability has been patched.
If upgrading immediately is not possible, apply the following mitigations:
- Restrict the OpenID providers allowed by configuring the new `auth_openid_allowed_providers` setting to whitelist only trusted OpenID provider hostnames or wildcard patterns. This prevents attackers from specifying arbitrary URLs.
- Implement network-level controls such as firewall rules to block outgoing HTTP requests from the Chamilo server to internal services that should not be accessible.
- Monitor and block suspicious POST requests to the OpenID login endpoint containing unexpected or internal URLs in the `openid_url` parameter.
These steps reduce the risk of exploitation until the official patch can be applied.