Executive Summary

CVE-2026-31939 is a high-severity path traversal vulnerability in Chamilo LMS versions up to 1.11.36. It occurs in the file savescores.php where user input from the 'test' parameter is directly concatenated into a filesystem path without proper validation or canonicalization. This allows an authenticated user to manipulate the path and delete arbitrary files outside the intended directory, depending on the server's filesystem permissions.

The vulnerability arises because the application does not check for directory traversal sequences like '../' and does not verify that the resolved file path is within the allowed base directory before performing file deletion.

The issue is fixed in Chamilo LMS version 1.11.38 by implementing path canonicalization, base directory enforcement, and input allowlisting to prevent traversal attacks.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user to delete arbitrary files outside the intended directory, which could lead to unauthorized data loss or manipulation.

Such unauthorized file deletion could impact data integrity and availability, which are critical components of compliance with standards like GDPR and HIPAA.

However, the vulnerability does not allow direct reading of files, so confidentiality impact is limited to low.

Organizations using affected versions of Chamilo LMS prior to 1.11.38 may face increased risk of non-compliance due to potential disruption or loss of protected data.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user with low privileges to delete arbitrary files on the server outside the intended course document directory.

The impact includes potential loss of important files, disruption of service, and integrity compromise of the system since files can be deleted unexpectedly.

The CVSS v3.1 score of 8.3 reflects a high severity with low attack complexity and no user interaction required, meaning it is relatively easy for an attacker with valid credentials to exploit.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves path traversal in the Chamilo LMS file savescores.php, where user input is concatenated into filesystem paths without validation, allowing arbitrary file deletion. Detection involves monitoring for suspicious requests to the savescores.php endpoint with unusual or traversal-like values in the 'test' parameter.

You can detect attempts by inspecting web server logs for requests to /main/exercise/savescores.php containing directory traversal patterns such as '../' or unexpected file names in the 'test' parameter.

Example commands to search logs (assuming Apache logs):

• grep -i 'savescores.php' /var/log/apache2/access.log | grep '\.\./'
• grep -i 'savescores.php' /var/log/apache2/access.log | grep 'test='

Additionally, monitoring filesystem changes or unexpected file deletions in the course document directories or outside them can help detect exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Chamilo LMS to version 1.11.38 or later, where this vulnerability is fixed.

If immediate upgrade is not possible, apply the following mitigations:

• Implement canonicalization and base directory enforcement in savescores.php by resolving file paths with realpath() and verifying they reside within the intended directory before deletion.
• Restrict the 'test' parameter input to an allowlist of safe characters (alphanumeric, underscore, dash) and deny traversal characters like '../'.
• Sanitize user inputs to prevent injection of malicious path sequences.

Also, monitor and restrict filesystem permissions to limit the impact of any unauthorized file deletion.

Useful 0 Not Useful 0