CVE-2025-69581

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Rivek619/CVE-2025-69581	Third Party Advisory Exploit
https://github.com/chamilo/chamilo-lms	Product

Configurations

Configuration 1 (hide)

cpe:2.3:a:chamilo:chamilo_lms:1.11.2:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-16 20:15

Updated : 2026-02-05 21:46

NVD link : CVE-2025-69581

Mitre link : CVE-2025-69581

CVE.ORG link : CVE-2025-69581

JSON object : View

Products Affected

chamilo

chamilo_lms

CWE

CWE-524

Use of Cache Containing Sensitive Information

{"id": "CVE-2025-69581", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2026-01-16T20:15:49.287", "references": [{"url": "https://github.com/Rivek619/CVE-2025-69581", "tags": ["Third Party Advisory", "Exploit"], "source": "cve@mitre.org"}, {"url": "https://github.com/chamilo/chamilo-lms", "tags": ["Product"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-524"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Chamillo LMS 1.11.2. El endpoint /personal_data de la Red Social expone informaci\u00f3n sensible completa del usuario incluso despu\u00e9s de cerrar sesi\u00f3n porque falta un control de cach\u00e9 adecuado. Usar el bot\u00f3n de retroceso del navegador restaura todos los datos personales, permitiendo a usuarios no autorizados en el mismo dispositivo ver informaci\u00f3n confidencial. Esto conduce a la elaboraci\u00f3n de perfiles, suplantaci\u00f3n de identidad, ataques dirigidos y riesgos significativos para la privacidad."}], "lastModified": "2026-02-05T21:46:04.547", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:1.11.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3324481-48CB-4C31-881E-9487AB56DBC8"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}