CVE-2025-59541 in LMS
Summary
by MITRE • 03/06/2026
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. The issue arises because sensitive actions such as project deletion do not implement anti-CSRF protections (tokens) and GET based requests. As a result, an authenticated user (Trainer) can be tricked into executing this unwanted action by simply visiting a malicious page. This issue has been patched in version 1.11.34.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/06/2026
The vulnerability identified as CVE-2025-59541 affects the Chamilo learning management system, a widely used platform for educational institutions and training organizations. This security flaw represents a critical Cross-Site Request Forgery vulnerability that undermines the integrity of user sessions and system operations. The vulnerability specifically targets the project deletion functionality within courses, creating a scenario where authenticated users can be coerced into performing unauthorized actions without their knowledge or consent. The issue exists in versions prior to 1.11.34, indicating that the developers were aware of the risk and implemented appropriate protections in the subsequent release.
The technical implementation of this vulnerability stems from the absence of proper anti-CSRF protection mechanisms within the affected system components. According to CWE-352, this represents a classic Cross-Site Request Forgery weakness where sensitive operations lack sufficient validation to ensure that requests originate from legitimate sources. The vulnerability is particularly concerning because it utilizes GET-based requests for actions that should require POST methods with anti-CSRF tokens. This design flaw allows attackers to craft malicious URLs that, when visited by an authenticated user, automatically execute the project deletion function. The absence of token validation means that any valid session can be exploited to perform destructive actions, making this vulnerability particularly dangerous in educational environments where users may inadvertently access malicious websites.
The operational impact of this vulnerability extends beyond simple data loss, as it compromises the overall security posture of learning management systems that rely on Chamilo. Attackers can exploit this weakness to remove educational content, disrupt course materials, and potentially compromise the learning experience for students and instructors. The vulnerability specifically targets Trainer roles within the system, which typically have elevated privileges and access to course management functions. This creates a scenario where malicious actors can systematically delete project files, assignments, and other educational resources without the victim's awareness. The attack vector is particularly insidious because it requires minimal user interaction beyond visiting a compromised webpage, making it difficult to detect and prevent through traditional user education methods. According to ATT&CK framework tactic TA0001 (Initial Access) and technique T1190 (Exploit Public-Facing Application), this vulnerability represents a common attack pattern where public-facing web applications are exploited to gain unauthorized access to system resources.
Organizations using Chamilo systems should immediately implement the recommended mitigation strategies to protect their educational environments from potential exploitation. The most critical step involves upgrading to version 1.11.34 or later, which incorporates proper anti-CSRF token implementation for sensitive operations. System administrators should also consider implementing additional security measures such as web application firewalls that can detect and block suspicious request patterns, particularly those involving GET requests for destructive operations. The implementation of Content Security Policy headers can further protect against cross-site scripting attacks that might be used in conjunction with CSRF exploitation. Regular security audits should verify that all sensitive operations within the learning management system require proper authentication tokens and that GET requests are not used for actions that modify system state. Organizations should also establish monitoring procedures to detect unusual deletion patterns in course materials, as these could indicate successful exploitation of this vulnerability. The remediation process should include user education about the risks of visiting untrusted websites while authenticated, as well as implementing proper session management practices that limit the scope of potential attacks.