Chamilo LMS suffers from a session fixation vulnerability (CWE-384) in the file main/lp/aicc_hacp.php where user input is used to set the PHP session ID before the global bootstrap process. This improper handling allows an attacker to force a victim to use a known session ID, potentially enabling session hijacking. The vulnerability affects versions prior to 1.11.38 and from 2.0.0-alpha.1 up to but not including 2.0.0-RC.3. The issue is fixed in versions 1.11.38 and 2.0.0-RC.3. The CVSS 3.1 base score is 7.5, indicating high severity with network attack vector, high impact on confidentiality, integrity, and availability, and requiring user interaction.

Successful exploitation of this vulnerability can lead to session fixation, allowing an attacker to hijack a user's session and gain unauthorized access to the affected Chamilo LMS instance. The impact includes full compromise of user confidentiality, integrity, and availability as indicated by the CVSS score.

Upgrade Chamilo LMS to version 1.11.38 or later, or to version 2.0.0-RC.3 or later, where this session fixation vulnerability has been fixed. Patch status is confirmed by the vendor's versioning information. No other mitigation steps are specified or required beyond applying the official fix.