8L4Nnk

**Name of the Vulnerable Software and Affected Versions** Chamilo LMS versions prior to 2.0.0-RC.3 **Description** An insecure direct object modification in the 'PUT /api/users/{id}' endpoint allows authenticated users with the `ROLE STUDENT` role to escalate their privileges to `ROLE ADMIN`. This occurs because the security expression `is granted('EDIT', object)` only verifies record ownership, while the `roles` field remains in the writable serialization group. By modifying the `roles` field on their own user record, an attacker can gain full administrative control of the platform, including access to all courses, user data, grades, and administrative settings. **Recommendations** Update to version 2.0.0-RC.3.