Can you explain this vulnerability to me?

CVE-2026-32894 is a high-severity Insecure Direct Object Reference (IDOR) vulnerability in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3, specifically in the gradebook result view page.

This vulnerability allows any authenticated teacher to delete any student's grade result across all courses by manipulating the delete_mark or resultdelete GET parameters without any verification of ownership or course scope.

The system does not check whether the teacher has authority over the grade result being deleted, and result IDs are sequential and easily enumerable, making exploitation straightforward.

Additionally, attempting to delete a non-existent result ID can cause a denial of service due to a null pointer dereference.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have serious impacts including:

• Permanent deletion of any student's grade result across all courses, potentially destroying academic records.
• Denial of service caused by a null pointer dereference when attempting to delete a non-existent grade result.
• Potential legal consequences due to destruction of academic records.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring HTTP requests to the Chamilo LMS gradebook result view page, specifically looking for GET requests that include the parameters `delete_mark` or `resultdelete`.

Since the vulnerability involves manipulation of these GET parameters by authenticated teachers to delete student grade results, detection involves identifying unusual or unauthorized deletion attempts across courses.

Suggested commands include using web server access logs or network monitoring tools to filter requests to `gradebook_view_result.php` with these parameters.

• Using grep on web server logs to find suspicious requests: `grep 'gradebook_view_result.php' /var/log/apache2/access.log | grep -E 'delete_mark=|resultdelete='`
• Using network monitoring tools like Wireshark or tcpdump to capture HTTP GET requests containing `delete_mark` or `resultdelete` parameters.

Additionally, reviewing application logs for deletion events without proper ownership or course-scope verification can help detect exploitation attempts.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Chamilo LMS to version 1.11.38 or 2.0.0-RC.3 or later, where this vulnerability has been fixed.

The fix involves validation checks ensuring that any deletion or modification of gradebook results verifies that the evaluation ID of the result matches the currently selected evaluation, preventing unauthorized deletion across courses.

If upgrading immediately is not possible, restrict access to the gradebook result view page to trusted users only and monitor for suspicious deletion requests as a temporary measure.

Review and apply any available patches from the official Chamilo LMS repository that enforce evaluation ID validation on gradebook result operations.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows any authenticated teacher to delete any student's grade result across the entire platform without ownership or course-scope verification. This can lead to permanent deletion of academic records, which may have legal consequences.

Such unauthorized deletion of student data could impact compliance with regulations that require data integrity and protection of personal information, such as GDPR and HIPAA, by compromising the accuracy and availability of educational records.

Useful 0 Not Useful 0