CVE-2024-30619 identifies an incorrect access control vulnerability in Chamilo LMS version 1.11.26. This flaw allows unauthenticated attackers to access two AJAX endpoints: "/main/inc/ajax/message.ajax.php?a=get_count_message" and "/main/inc/ajax/online.ajax.php?a=get_users_online". These endpoints provide the number of messages and the count of online users, respectively. Because these endpoints lack proper access control, attackers can query them without any authentication or user interaction, exposing sensitive information about user activity within the LMS. The vulnerability is classified under CVSS v3.1 with a score of 7.5, indicating high severity due to its network accessibility (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality (C:H), with no effect on integrity or availability. Although no exploits have been reported in the wild, the vulnerability could be leveraged for reconnaissance or to facilitate further targeted attacks by revealing user engagement metrics. Chamilo LMS is an open-source learning management system widely used in educational institutions globally, making this vulnerability relevant to organizations relying on it for e-learning and training.

The primary impact of CVE-2024-30619 is the unauthorized disclosure of sensitive information regarding user activity within the Chamilo LMS environment. Attackers can determine the number of messages and online users without authentication, which could aid in profiling user behavior, timing attacks, or preparing for more sophisticated intrusions. While this vulnerability does not allow direct modification of data or disruption of services, the confidentiality breach can undermine user privacy and organizational trust. Educational institutions and training providers using Chamilo LMS may face reputational damage and potential compliance issues related to data protection regulations. Additionally, attackers might combine this information with other vulnerabilities or social engineering tactics to escalate privileges or conduct targeted attacks. The ease of exploitation and network accessibility increase the risk of automated scanning and mass reconnaissance campaigns targeting vulnerable LMS deployments worldwide.

To mitigate CVE-2024-30619, organizations should first apply any official patches or updates provided by Chamilo LMS developers once available. In the absence of immediate patches, administrators should implement strict access controls on the affected AJAX endpoints, restricting access to authenticated and authorized users only. This can be achieved by configuring web server rules (e.g., using .htaccess or firewall rules) to block unauthenticated requests to "/main/inc/ajax/message.ajax.php" and "/main/inc/ajax/online.ajax.php". Additionally, enabling web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting these endpoints can reduce exposure. Monitoring and logging access to these URLs will help detect potential exploitation attempts. Organizations should also review user permissions and session management policies to minimize information leakage. Finally, educating system administrators about this vulnerability and encouraging timely updates will help maintain a secure LMS environment.