Login Sign Up

CVE-2024-30619

7.5 HIGH
Authentication Bypass

📋 TL;DR

Chamilo LMS 1.11.26 has an incorrect access control vulnerability where unauthenticated attackers can access sensitive information via specific API endpoints. This allows enumeration of message counts and online users without authentication. All deployments of the affected version are vulnerable.

💻 Affected Systems

Products:
  • Chamilo LMS
Versions: Version 1.11.26
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects version 1.11.26 specifically; earlier versions may have different vulnerabilities.

📦 What is this software?

Chamilo Lms by Chamilo

View all CVEs affecting Chamilo Lms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Information disclosure could lead to reconnaissance for further attacks, user enumeration, and potential privacy violations if combined with other vulnerabilities.

🟠

Likely Case

Unauthenticated attackers can gather information about user activity and message volumes, enabling reconnaissance and potential social engineering attacks.

🟢

If Mitigated

With proper access controls, only authenticated users can access these endpoints, preventing information disclosure.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP requests to the vulnerable endpoints can trigger the vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit bef68ffe0552cd25b0ef760e582e1188f0f6bf4b

Vendor Advisory: https://github.com/chamilo/chamilo-lms/commit/bef68ffe0552cd25b0ef760e582e1188f0f6bf4b

Restart Required: No

Instructions:

1. Update to the latest Chamilo LMS version. 2. Apply the specific commit bef68ffe0552cd25b0ef760e582e1188f0f6bf4b if using version 1.11.26. 3. Verify the fix by testing the affected endpoints.

🔧 Temporary Workarounds

Block vulnerable endpoints

all

Use web server configuration to block access to the vulnerable PHP files

# For Apache: add to .htaccess
<Files "message.ajax.php">
    Require all denied
</Files>
<Files "online.ajax.php">
    Require all denied
</Files>
# For Nginx: add to server block
location ~ /main/inc/ajax/(message|online)\.ajax\.php$ {
    deny all;
}

🧯 If You Can't Patch

  • Implement network-level access controls to restrict access to the Chamilo application to trusted users only
  • Deploy a web application firewall (WAF) with rules to block requests to the vulnerable endpoints from unauthenticated sources

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET requests to /main/inc/ajax/message.ajax.php?a=get_count_message and /main/inc/ajax/online.ajax.php?a=get_users_online without authentication. If they return data, the system is vulnerable.

Check Version:

Check the Chamilo version in the admin panel or look for version information in the source code

Verify Fix Applied:

After patching, repeat the same requests without authentication. They should return access denied errors or redirect to login.

📡 Detection & Monitoring

Log Indicators:

  • HTTP 200 responses to /main/inc/ajax/message.ajax.php or /main/inc/ajax/online.ajax.php from unauthenticated IPs
  • Unusual spike in requests to these endpoints

Network Indicators:

  • GET requests to the vulnerable endpoints without authentication headers
  • Responses containing message counts or user online data

SIEM Query:

source="web_server_logs" AND (uri="/main/inc/ajax/message.ajax.php" OR uri="/main/inc/ajax/online.ajax.php") AND status=200 AND NOT auth_token=*

📊 Metadata

CVE ID: CVE-2024-30619
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Published: November 4, 2024
Last Updated: April 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON