CVE-2026-32932
Open Redirect in Chamilo LMS Session Course Edit Page
Publication date: 2026-04-10
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | to 1.11.38 (exc) |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32932 is an Open Redirect vulnerability in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3. It occurs in the session course edit page where an attacker can manipulate the `page` parameter used in HTTP redirects after saving coach assignment changes.
The vulnerability arises because the application improperly validates and sanitizes the `page` parameter, allowing an attacker to redirect an authenticated administrator to an arbitrary external URL. Additionally, the `id_session` parameter is leaked to the attackerβs server via the redirect URL.
The root cause is that the original code used a function that only removed XSS-related content but did not restrict the redirect to internal pages, enabling external URLs to be used in redirects.
The vulnerability is fixed by introducing a whitelist of allowed pages, sanitizing the `page` parameter using PHPβs `basename()` function, validating it against the whitelist, and only redirecting to these safe pages.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to redirect authenticated administrators to malicious external websites after they perform routine administrative actions.
Because the redirect originates from a legitimate Chamilo LMS URL, it can bypass security awareness measures and be used in phishing attacks to harvest credentials by chaining with convincing login-page clones.
Additionally, the `id_session` parameter is leaked to the attackerβs server, potentially exposing session-related information.
The vulnerability has a moderate severity with a CVSS v3.1 base score of 4.7, indicating a network attack vector with low complexity and no privileges required but requiring user interaction.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to redirect an authenticated administrator to an arbitrary external URL and leaks the id_session parameter to the attacker's server.
This leakage of session identifiers and the potential for phishing attacks could lead to unauthorized access or exposure of sensitive information, which may impact compliance with data protection regulations such as GDPR or HIPAA.
Because the redirect originates from a legitimate Chamilo URL, it can bypass security awareness measures, increasing the risk of credential harvesting and data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an Open Redirect in the Chamilo LMS session course edit page, where the `page` parameter in the URL is improperly validated, allowing redirection to arbitrary external URLs.
To detect this vulnerability on your system, you can check if your Chamilo LMS installation is running a vulnerable version (prior to 1.11.38 or 2.0.0-RC.3).
You can also monitor HTTP traffic or logs for suspicious redirect patterns involving the `page` parameter redirecting to external URLs.
- Use curl or wget to test the redirect behavior by sending a crafted request to the session course edit page with a malicious `page` parameter, for example:
- curl -I 'https://your-chamilo-instance/main/session/session_course_edit.php?page=https://attacker.example/phishing&id_session=5'
- Check the HTTP response headers for a Location header redirecting to an external URL.
- Review web server access logs for requests to `session_course_edit.php` containing suspicious `page` parameters pointing to external domains.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Chamilo LMS to a fixed version, specifically version 1.11.38 or 2.0.0-RC.3 or later, where this vulnerability has been patched.
The patch involves strict validation and sanitization of the `page` parameter by implementing a whitelist of allowed pages and using PHP's basename() function to sanitize input, preventing unauthorized redirects.
If upgrading immediately is not possible, you can apply the patch manually by:
- Implementing a whitelist of allowed pages (e.g., 'session_course_list.php' and 'resume_session.php') for the `page` parameter.
- Sanitizing the `page` parameter using PHP's basename() function to strip directory paths.
- Validating the sanitized `page` parameter against the whitelist and defaulting to a safe page if it does not match.
- Using the sanitized and validated `page` parameter in the redirect header instead of the raw input.
Additionally, review and monitor administrative actions and educate administrators about phishing risks that could exploit this vulnerability.