Chamilo LMS, an open-source learning management system widely used in educational institutions, contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2024-50337. This vulnerability exists in the OpenId authentication function in versions prior to 1.11.28. SSRF allows an attacker to abuse the server to send HTTP requests to arbitrary URLs on behalf of the server without authentication or user interaction. Specifically, the OpenId function does not properly validate or restrict URLs that can be requested, enabling unauthenticated blind SSRF attacks. Blind SSRF means the attacker may not directly see the response but can infer success or failure through side channels or timing. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting medium severity, with the vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact. While the vulnerability does not directly compromise data integrity or availability, it can be leveraged to probe internal network services, access metadata endpoints, or perform port scanning from the server’s perspective. This can lead to information disclosure about internal infrastructure or potentially facilitate further attacks. The Chamilo project addressed this vulnerability in version 1.11.28 by implementing proper validation and restrictions on URLs used in the OpenId function. No public exploits or widespread attacks have been reported to date, but the vulnerability presents a significant risk for organizations running outdated versions of Chamilo LMS.

The primary impact of CVE-2024-50337 is unauthorized information disclosure through SSRF, which can reveal sensitive internal network details, such as internal IP addresses, services, or cloud metadata endpoints. This can aid attackers in mapping internal infrastructure and planning subsequent attacks. Although the vulnerability does not directly affect data integrity or availability, the reconnaissance enabled by SSRF can lead to more severe compromises if combined with other vulnerabilities. Educational institutions, government agencies, and enterprises using Chamilo LMS are at risk of internal network exposure. The unauthenticated nature of the vulnerability increases its risk profile, as attackers do not need valid credentials or user interaction to exploit it. The medium CVSS score reflects moderate impact but ease of exploitation. Organizations that fail to patch may face increased risk of targeted attacks, especially in environments where Chamilo LMS servers have access to sensitive internal resources or cloud metadata services.

1. Upgrade Chamilo LMS to version 1.11.28 or later immediately to apply the official patch that restricts and validates URLs in the OpenId function. 2. If upgrading is not immediately possible, implement network-level controls to restrict outbound HTTP requests from the Chamilo server to only trusted destinations, minimizing SSRF attack surface. 3. Monitor server logs for unusual outbound request patterns or anomalies originating from the OpenId function. 4. Employ web application firewalls (WAFs) with SSRF detection rules to block suspicious request payloads targeting the OpenId endpoint. 5. Conduct internal network segmentation to limit the Chamilo server’s access to sensitive internal services and metadata endpoints. 6. Review and harden OpenId and authentication configurations to ensure minimal exposure. 7. Educate administrators about SSRF risks and ensure timely patch management processes for LMS and related infrastructure.