CVE-2025-59541

Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. The issue arises because sensitive actions such as project deletion do not implement anti-CSRF protections (tokens) and GET based requests. As a result, an authenticated user (Trainer) can be tricked into executing this unwanted action by simply visiting a malicious page. This issue has been patched in version 1.11.34.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34	Product Release Notes
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpj6-p9m5-q637	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-06 04:16

Updated : 2026-03-09 17:30

NVD link : CVE-2025-59541

Mitre link : CVE-2025-59541

CVE.ORG link : CVE-2025-59541

JSON object : View

Products Affected

chamilo

chamilo_lms

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2025-59541", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-03-06T04:16:01.977", "references": [{"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpj6-p9m5-q637", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim\u2019s consent. The issue arises because sensitive actions such as project deletion do not implement anti-CSRF protections (tokens) and GET based requests. As a result, an authenticated user (Trainer) can be tricked into executing this unwanted action by simply visiting a malicious page. This issue has been patched in version 1.11.34."}, {"lang": "es", "value": "Chamilo es un sistema de gesti\u00f3n del aprendizaje. Antes de la versi\u00f3n 1.11.34, una vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) permite a un atacante eliminar proyectos dentro de un curso sin el consentimiento de la v\u00edctima. El problema surge porque las acciones sensibles, como la eliminaci\u00f3n de proyectos, no implementan protecciones anti-CSRF (tokens) y se basan en peticiones GET. Como resultado, un usuario autenticado (Formador) puede ser enga\u00f1ado para ejecutar esta acci\u00f3n no deseada simplemente visitando una p\u00e1gina maliciosa. Este problema ha sido parcheado en la versi\u00f3n 1.11.34."}], "lastModified": "2026-03-09T17:30:32.130", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF6714C4-3D58-43BF-A32C-6D436DB93E01", "versionEndExcluding": "1.11.34"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}