CVE-2024-30616: 
Chamilo vulnerability analysis and mitigation

Chamilo LMS 1.11.26 contains an Incorrect Access Control vulnerability in the main/auth/profile component. The vulnerability was discovered in March 2024 and allows non-administrative users to manipulate sensitive profile information of other users, including administrators (GitHub Research).

The vulnerability stems from insufficient authorization checks in the profile editing functionality. Non-administrative users can modify LinkedIn and Skype profile URLs of administrator accounts by manipulating the 'item_id' parameter in profile update requests. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows unauthorized users to modify sensitive profile information of other users, particularly administrator accounts. This undermines the system's authorization mechanisms and enables unauthorized modifications to critical account settings that are typically reserved for administrators (GitHub Research).

A patch has been released that ensures profile modifications are restricted to the current user's data. The fix involves explicitly setting the itemid to the current user's ID using apigetuserid() (GitHub Commit).