Plataforma
php
Componente
chamilo-lms
Corregido en
1.11.35
CVE-2025-59541 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Chamilo LMS versions prior to 1.11.34. This flaw allows an attacker to delete projects within a course without the victim's knowledge or consent. The vulnerability stems from a lack of anti-CSRF protections on sensitive actions, specifically project deletion, making it susceptible to manipulation via malicious links. The vulnerability has been addressed in version 1.11.34.
The primary impact of CVE-2025-59541 is the unauthorized deletion of projects within a Chamilo LMS course. An attacker can craft a malicious webpage that, when visited by an authenticated 'Trainer' user, triggers the project deletion action. This could lead to significant data loss, disruption of learning materials, and potential reputational damage for the institution using Chamilo. The attack requires the victim to be logged into Chamilo and visit the attacker-controlled page, but does not require any further interaction. Successful exploitation could compromise the integrity of course content and impact the learning experience for students.
CVE-2025-59541 was publicly disclosed on 2026-03-06. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The potential for exploitation is considered medium due to the relatively simple attack vector and the widespread use of Chamilo LMS in educational institutions.
Educational institutions and organizations utilizing Chamilo LMS are at risk, particularly those running versions prior to 1.11.34. Organizations with a large number of 'Trainer' accounts or those that allow users to easily share links to internal Chamilo resources are at higher risk. Shared hosting environments where multiple Chamilo instances reside on the same server could also be impacted.
• php / web: Examine access logs for GET requests to project deletion endpoints with suspicious referer headers.
grep 'project_delete.php' access.log | grep -i 'attacker.com'• php / web: Monitor Chamilo application logs for unusual project deletion events, particularly those associated with Trainer accounts. • generic web: Use curl to test for project deletion functionality via GET requests without CSRF tokens.
curl -v -X GET 'https://chamilo.example.com/project_delete.php?project_id=123' -H 'Referer: https://attacker.com'disclosure
Estado del Exploit
EPSS
0.02% (4% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-59541 is to immediately upgrade Chamilo LMS to version 1.11.34 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, educate users about the risks of clicking on untrusted links and the importance of verifying the authenticity of websites before submitting sensitive actions. While a direct detection signature is difficult, monitor Chamilo logs for unusual project deletion activity originating from unexpected IP addresses or user agents.
Actualice Chamilo LMS a la versión 1.11.34 o superior. Esta versión contiene la corrección para la vulnerabilidad CSRF en la eliminación de proyectos. La actualización evitará que un atacante pueda eliminar proyectos sin su consentimiento.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-59541 is a Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS versions before 1.11.34, allowing attackers to delete projects without consent.
You are affected if you are using Chamilo LMS version 1.11.34 or earlier. Upgrade to the latest version to mitigate the risk.
Upgrade Chamilo LMS to version 1.11.34 or later. Consider implementing a WAF with CSRF protection as a temporary workaround.
There is no confirmed active exploitation of CVE-2025-59541 at this time, but the vulnerability is publicly known and could be targeted.
Refer to the official Chamilo security advisory for CVE-2025-59541 on the Chamilo website (check their security announcements page).
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.