PT-2024-23525 · Unknown · Chamilo Lms
Baha Doumi
·
Published
2024-11-04
·
Updated
2024-11-05
·
CVE-2024-30619
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Chamilo LMS version 1.11.26
Description
The issue is related to Incorrect Access Control, allowing a non-authenticated attacker to request sensitive information. Specifically, an attacker can access the number of messages and the number of online users via "/main/inc/ajax/message.ajax.php?a=get count message" and "/main/inc/ajax/online.ajax.php?a=get users online". This exposes sensitive data locally.
Recommendations
For Chamilo LMS version 1.11.26, patch immediately to mitigate risks. As a temporary workaround, consider restricting access to the vulnerable API endpoints "/main/inc/ajax/message.ajax.php" and "/main/inc/ajax/online.ajax.php" to minimize the risk of exploitation.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Chamilo Lms