CVE-2024-30616 identifies an Incorrect Access Control vulnerability (CWE-863) in Chamilo LMS version 1.11.26, specifically affecting the main/auth/profile endpoint. This vulnerability allows users with limited privileges (non-admin) to manipulate sensitive profile information that should be restricted to administrators. The flaw arises from insufficient enforcement of access control policies, permitting unauthorized access and modification of user profile data. The vulnerability has a CVSS v3.1 base score of 8.8, indicating high severity, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This means the attack can be performed remotely over the network with low complexity, requiring only limited privileges and no user interaction. The scope is unchanged, but the impact on confidentiality, integrity, and availability is high, as attackers can alter sensitive data, potentially leading to data breaches, identity manipulation, and disruption of LMS operations. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was reserved in March 2024 and published in November 2024, highlighting the need for urgent attention from organizations using this LMS platform.

The vulnerability poses a significant risk to organizations using Chamilo LMS, particularly educational institutions, training providers, and enterprises relying on this platform for learning management. Unauthorized manipulation of profile information can lead to data integrity issues, unauthorized data disclosure, and potential disruption of LMS services. Attackers could alter user roles, escalate privileges indirectly, or corrupt user data, undermining trust and compliance with data protection regulations. The high CVSS score reflects the broad impact on confidentiality, integrity, and availability, making it a critical threat. Given the remote exploitability and low complexity, threat actors could automate attacks at scale, affecting multiple organizations globally. The lack of known exploits in the wild suggests a window of opportunity for defenders to remediate before widespread exploitation occurs.

Organizations should immediately review and restrict access controls on the main/auth/profile endpoint within Chamilo LMS. Until an official patch is released, administrators can implement web application firewall (WAF) rules to block unauthorized profile modification attempts and monitor logs for suspicious activity targeting this endpoint. Conduct thorough audits of user privileges to ensure least privilege principles are enforced, minimizing the number of users with elevated access. Employ network segmentation to isolate LMS servers and restrict access to trusted users only. Regularly back up LMS data to enable recovery from potential data tampering. Engage with Chamilo LMS maintainers to track patch releases and apply updates promptly once available. Additionally, consider deploying runtime application self-protection (RASP) tools to detect and prevent unauthorized access attempts in real time.