| Titel | Chamilo LMS <= v2.0.0 Beta 1 SocialController IDOR - Legal Consent Data Manipulat |
|---|
| Beschreibung | Multiple endpoints in Chamilo LMS 2.x `SocialController.php` are vulnerable to Insecure Direct Object Reference (IDOR) attacks. An authenticated attacker can manipulate the `userId` parameter in POST requests to perform unauthorized operations on other users' legal consent and privacy-related data.
The vulnerability exists because these endpoints read the `userId` from the request body without validating that the authenticated user has permission to operate on that user's data. |
|---|
| Quelle | ⚠️ https://note-hxlab.wetolink.com/share/w92t1Q0a74Gj |
|---|
| Benutzer | angelkate (UID 94159) |
|---|
| Einreichung | 05.01.2026 08:14 (vor 5 Monaten) |
|---|
| Moderieren | 17.01.2026 09:37 (12 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 341698 [Chamilo LMS bis 2.0.0 Beta 1 Legal Consent SocialController.php deleteLegal userId erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|