Chamilo LMS 2.0-RC.2 has a missing authentication vulnerability in the public/main/inc/ajax/install.ajax.php file because it does not include the global.inc.php file that enforces authentication and installation checks. The test_mailer action accepts an arbitrary Symfony Mailer DSN string from POST data, allowing unauthenticated attackers to connect to attacker-specified SMTP servers. This enables SSRF attacks via SMTP, weaponizes the server as an open email relay for phishing and spam, and may disclose internal network topology through error responses. The vulnerability affects versions >= 2.0-RC.2 and < 2.0-RC.3 and is resolved in 2.0.0-RC.3.

An unauthenticated attacker can exploit this vulnerability to perform SSRF attacks into internal networks using the SMTP protocol, potentially bypassing network restrictions. The attacker can also use the vulnerable server as an open email relay to send phishing or spam emails that appear to originate from the server's IP address. Additionally, error messages from failed SMTP connections may reveal sensitive information about internal network topology and running services. The CVSS score of 7.2 reflects a high severity with network attack vector, no privileges required, no user interaction, and partial confidentiality and integrity impact.

A fix for this vulnerability is available in Chamilo LMS version 2.0.0-RC.3. Users should upgrade to this version or later to remediate the issue. Since this is not a cloud service, manual patching is required. Patch status is confirmed by the vendor's versioning information. Until patched, restrict access to the vulnerable endpoint if possible and monitor for suspicious SMTP relay activity.