CVE-2024-50337
Received Received - Intake
Unauthenticated Blind SSRF in Chamilo OpenId Before

Publication date: 2026-03-02

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
Chamilo is a learning management system. Prior to version 1.11.28, the OpenId function allows anyone to send requests to any URL on server's behalf, which results in unauthenticated blind SSRF. This issue has been patched in version 1.11.28.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2024-50337
EUVD
EUVD-2024-55456
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chamilo chamilo_lms to 1.11.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2024-50337 is a moderate severity unauthenticated blind Server-Side Request Forgery (SSRF) vulnerability in Chamilo LMS versions up to 1.11.26. It occurs in the OpenID login function, where an attacker can send a request to any URL on the server's behalf without authentication."}, {'type': 'paragraph', 'content': 'This happens because the OpenID login process does not properly validate the URL parameter, allowing attackers to specify arbitrary URLs. As a result, the server makes requests internally to those URLs, which can include internal services that are not accessible externally.'}, {'type': 'paragraph', 'content': 'The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and can be exploited by sending a crafted POST request with an `openid_url` parameter pointing to an internal resource, such as `http://localhost:8888`. The issue was fixed in Chamilo LMS version 1.11.28 by implementing SSRF prevention measures.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an attacker to make the Chamilo LMS server send requests to internal or otherwise inaccessible services on the server's network. Because the attacker does not need to be authenticated, they can probe internal resources that are normally protected."}, {'type': 'paragraph', 'content': 'The impact includes potential unauthorized access to internal services, which could lead to information disclosure or further exploitation depending on what internal services are reachable.'}, {'type': 'paragraph', 'content': 'However, the CVSS score indicates a moderate severity with low confidentiality impact and no impact on integrity or availability, meaning the vulnerability primarily risks limited information disclosure without directly affecting data integrity or system availability.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual POST requests to the OpenID login function containing a crafted `openid_url` parameter that points to internal or unauthorized URLs. Specifically, look for POST requests where the `openid_url` parameter is set to internal addresses such as `http://localhost:8888` or other internal services that should not be accessible externally.'}, {'type': 'paragraph', 'content': 'A practical detection method is to capture and analyze HTTP traffic to the Chamilo LMS server, focusing on POST requests to the OpenID login endpoint with suspicious `openid_url` values.'}, {'type': 'paragraph', 'content': 'Example commands to detect such activity using common tools:'}, {'type': 'list_item', 'content': "Using tcpdump to capture HTTP POST requests to the server (replace <interface> and <server_ip>):\n`tcpdump -i <interface> host <server_ip> and tcp port 80 -A | grep 'POST'`"}, {'type': 'list_item', 'content': "Using grep on web server access logs to find POST requests to the OpenID login path:\n`grep 'POST /main/auth/openid/login.php' /var/log/apache2/access.log | grep openid_url`"}, {'type': 'list_item', 'content': "Using curl to test if the server is vulnerable by sending a crafted POST request:\n`curl -X POST -d 'openid_url=http://localhost:8888' https://<chamilo-server>/main/auth/openid/login.php -v`"}, {'type': 'paragraph', 'content': 'If the server responds or behaves as if it is making the internal request, it indicates the presence of the SSRF vulnerability.'}] [1]

Mitigation Strategies

The immediate and recommended mitigation is to upgrade Chamilo LMS to version 1.11.28 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, apply the following mitigations:

  • Restrict the OpenID providers allowed by configuring the new `auth_openid_allowed_providers` setting to whitelist only trusted OpenID provider hostnames or wildcard patterns. This prevents attackers from specifying arbitrary URLs.
  • Implement network-level controls such as firewall rules to block outgoing HTTP requests from the Chamilo server to internal services that should not be accessible.
  • Monitor and block suspicious POST requests to the OpenID login endpoint containing unexpected or internal URLs in the `openid_url` parameter.

These steps reduce the risk of exploitation until the official patch can be applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-50337. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart