Compliance Impact

The vulnerability allows any authenticated teacher to view and modify evaluation settings of courses they do not own by exploiting an Insecure Direct Object Reference (IDOR) in the Chamilo LMS gradebook module. This unauthorized access and modification of evaluation data can lead to violations of data integrity and confidentiality.

Such unauthorized data access and modification could impact compliance with standards and regulations that require strict access controls and data protection, such as GDPR and HIPAA. Specifically, the failure to enforce proper authorization checks may lead to unauthorized disclosure or alteration of sensitive educational data, which could be considered a breach of data protection principles.

Therefore, this vulnerability undermines the ability of organizations using Chamilo LMS to ensure compliance with regulations mandating data confidentiality, integrity, and proper access controls.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-32930 is an Insecure Direct Object Reference (IDOR) vulnerability in the Chamilo LMS gradebook evaluation edit page. It allows any authenticated teacher to view and modify the settings (such as name, maximum score, and weight) of evaluations belonging to any other course by manipulating the 'editeval' GET parameter. This happens because the system does not verify that the evaluation being edited belongs to the teacher's current course context, enabling unauthorized access and modification.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized modification of grading criteria across courses. Any authenticated teacher can change evaluation settings for courses they do not own, which can compromise academic integrity. The impact includes unauthorized data modification (high integrity impact) without affecting availability. Attackers can exploit this remotely with low complexity and no user interaction required.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if an authenticated teacher user is able to access or modify evaluation settings of courses they do not own by manipulating the 'editeval' GET parameter in the gradebook evaluation edit page.

Since the vulnerability involves unauthorized access via the 'editeval' parameter, detection can involve monitoring HTTP requests to the gradebook evaluation edit endpoint for unusual or unauthorized 'editeval' parameter values.

Suggested commands include using web server access logs or network monitoring tools to filter requests to the gradebook edit evaluation URL and inspect the 'editeval' parameter for suspicious activity.

• Use grep or similar tools on web server logs to find requests with 'editeval' parameter, e.g., `grep 'editeval=' /var/log/apache2/access.log`
• Use curl or similar HTTP clients to test access control, e.g., `curl -b cookies.txt 'https://your-chamilo-instance/main/gradebook/gradebook_edit_eval.php?editeval=EVAL_ID'` replacing EVAL_ID with evaluation IDs outside the teacher's course.
• Monitor application logs or enable debug logging to detect unauthorized access attempts to evaluation editing functionality.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Chamilo LMS to a patched version where this vulnerability is fixed, specifically version 1.11.38 or 2.0.0-RC.3 or later.

If upgrading immediately is not possible, restrict access to the gradebook evaluation edit page to trusted users only and monitor for suspicious activity involving the 'editeval' parameter.

Apply access control measures to ensure that only authorized teachers can edit evaluations belonging to their own courses, and prevent manipulation of the 'editeval' parameter.

Review and apply the security patch that enforces validation of evaluation existence, ownership, and locked status before allowing edits.

Useful 0 Not Useful 0