CVE-2025-52469

CVE-2025-52469 is a logic vulnerability in the friend request workflow of Chamilo's social network module, affecting the open-source learning management system Chamilo prior to version 1.11.30. An authenticated user can directly call an AJAX endpoint to forcibly add any other user as a friend, bypassing the standard process of sending and awaiting acceptance of friend requests. This flaw even permits adding non-existent users, undermining access control and social interaction logic with potential privacy implications. The vulnerability is rated 7.1 on the CVSS v3.1 scale (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N) and maps to CWE-841 (Improper Enforcement of Behavioral Workflow).

Any low-privileged authenticated user on a Chamilo instance can exploit this over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to manipulate the social graph by unilaterally establishing friendships, potentially granting unauthorized access to private profiles, messages, or shared resources tied to the friend relationship. While direct confidentiality impact is low, the high integrity impact disrupts intended social controls, enabling abuse such as spam, harassment, or further reconnaissance in educational environments.

The issue has been addressed in Chamilo version 1.11.30, as detailed in the project's GitHub security advisory (GHSA-m5xj-5xf3-rqch), release notes, and the patching commit. Security practitioners should upgrade to 1.11.30 or later and review access to the social network module's AJAX endpoints.