CVE-2026-33708

Sažetak

Chamilo LMS is a learning management system. Prior to 1.11.38, the get_user_info_from_username REST API endpoint returns personal information (email, first name, last name, user ID, active status) of any user to any authenticated user, including students. There is no authorization check. This vulnerability is fixed in 1.11.38.

Reference

https://github.com/chamilo/chamilo-lms/commit/4a119f93abbfba6fe833580f2463c8d4afa500c2
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-qwch-82q9-q999

CVSS

Base:	6.5
Impact:	3.6
Exploitability:	2.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

10-04-2026 - 19:16

Objavljeno

10-04-2026 - 19:16