CVE-2026-34370
IDOR Vulnerability in Chamilo LMS Notebook Module Exposes Notes
Publication date: 2026-04-14
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | 2.0.0 |
| chamilo | chamilo_lms | to 1.11.38 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Chamilo LMS versions prior to 2.0.0-RC.3 is an Insecure Direct Object Reference (IDOR) in the notebook module. It allows any authenticated student to read private course notes of other users by manipulating the notebook_id parameter in the editnote action. The system fetches note content based solely on the provided integer ID without verifying ownership, exposing the full title and HTML body of notes to unauthorized users.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of private course notes between users. An attacker who is an authenticated student can access sensitive information belonging to other users, potentially compromising privacy and confidentiality within the learning platform.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where the issue has been fixed.
Until the upgrade can be performed, restrict authenticated student access to the notebook module or monitor and control the manipulation of the notebook_id parameter in requests to prevent unauthorized access to other users' notes.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether an authenticated student user can access private course notes of other users by manipulating the notebook_id parameter in the editnote action.
A practical approach is to authenticate as a student and attempt to access notes by changing the notebook_id parameter in the URL or request payload to IDs that belong to other users.
For example, using curl to send a request with different notebook_id values and observing if the response contains note content that should not be accessible.
- curl -b cookies.txt -c cookies.txt 'https://your-chamilo-instance/editnote?notebook_id=123'
- Modify the notebook_id parameter to other values (e.g., 124, 125) to check if notes from other users are returned.
If notes belonging to other users are accessible without proper authorization errors, the vulnerability is present.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any authenticated student to read private course notes of other users without authorization, which constitutes unauthorized access to personal data.
Such unauthorized disclosure of private information could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive data.
Specifically, the lack of ownership verification in the read path of the notebook module means that confidentiality of user data is compromised, potentially violating principles of data minimization and access control mandated by these standards.