First published: Wed May 05 2021(Updated: )
Chamilo LMS 1.11.10 does not properly manage privileges which could allow a user with Sessions administrator privilege to create a new user then use the edit user function to change this new user to administrator privilege.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Chamilo Chamilo Lms | =1.11.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-23128 is a vulnerability in Chamilo LMS 1.11.10 that allows a user with Sessions administrator privilege to create a new user and change their privilege to administrator.
CVE-2020-23128 has a severity value of 4.9, which is considered medium.
CVE-2020-23128 allows unauthorized privilege escalation in Chamilo LMS 1.11.10, potentially compromising the system's security.
To fix CVE-2020-23128, it is recommended to update Chamilo LMS to a version that has addressed the vulnerability and remove any Sessions administrator privileges as necessary.
More information about CVE-2020-23128 can be found at the following references: [Reference 1](https://support.chamilo.org/projects/chamilo-18/wiki/Security_issues#Issue-41-2020-04-22-Medium-risk-high-impact-CSRF-and-privilege-escalation-via-CSRF), [Reference 2](https://toandak.blogspot.com/2020/05/improper-privilege-management-in.html)