A critical vulnerability in the Chamilo LMS password reset mechanism allows unauthenticated attackers to easily compute reset tokens and hijack any user account.

This is a cryptographic flaw where password reset tokens are generated using a static, predictable sha1($email) hash. There is no randomness, expiration, or rate limiting, enabling attackers to reset any user's password without authentication.

With a CVSS score of 9.4, this vulnerability is critical. Attackers can gain unauthorized access to any account, including administrative accounts, leading to full platform takeover, student and staff data exposure, and potential malicious content injection.

Immediate Action: Update Chamilo LMS to version 1.11.38, 2.0.0-RC.3, or later.

Proactive Monitoring: Monitor for high volumes of password reset requests or suspicious account modification activity.

Compensating Controls: If immediate patching is not possible, disable the password reset feature or implement a temporary WAF rule to rate-limit reset requests.

Public Exploit Available: No

This vulnerability is highly exploitable and allows for mass account takeover. Organizations must update their Chamilo instances immediately to secure their user base and administrative integrity.