CVE-2025-59541

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-59541
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. The issue arises because sensitive actions such as project deletion do not implement anti-CSRF protections (tokens) and GET based requests. As a result, an authenticated user (Trainer) can be tricked into executing this unwanted action by simply visiting a malicious page. This issue has been patched in version 1.11.34.

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34 Product Release Notes
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpj6-p9m5-q637 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
History

09 Mar 2026, 17:30

Type Values Removed Values Added
First Time Chamilo chamilo Lms
Chamilo
CPE cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
References () https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34 - () https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34 - Product, Release Notes
References () https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpj6-p9m5-q637 - () https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpj6-p9m5-q637 - Vendor Advisory

09 Mar 2026, 13:36

Type Values Removed Values Added
Summary
  • (es) Chamilo es un sistema de gestión del aprendizaje. Antes de la versión 1.11.34, una vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) permite a un atacante eliminar proyectos dentro de un curso sin el consentimiento de la víctima. El problema surge porque las acciones sensibles, como la eliminación de proyectos, no implementan protecciones anti-CSRF (tokens) y se basan en peticiones GET. Como resultado, un usuario autenticado (Formador) puede ser engañado para ejecutar esta acción no deseada simplemente visitando una página maliciosa. Este problema ha sido parcheado en la versión 1.11.34.

06 Mar 2026, 04:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-06 04:16

Updated : 2026-03-09 17:30

NVD link : CVE-2025-59541

Mitre link : CVE-2025-59541

CVE.ORG link : CVE-2025-59541

JSON object : View

Products Affected

chamilo

  • chamilo_lms
CWE
CWE-352

Cross-Site Request Forgery (CSRF)