CVE-2026-34370

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 2.0.0-RC.3

Description The notebook module contains an Insecure Direct Object Reference (IDOR) - a flaw where an application provides direct access to objects based on user-supplied input. This allows any authenticated student to read private course notes of other users by manipulating the notebook id parameter in the 'editnote' action. The application retrieves note content using the provided integer ID without verifying user ownership in the get note information() function, resulting in the full title and HTML body being returned to the browser.

Recommendations Update to version 2.0.0-RC.3.