CVE-2025-59541
Published: 06 March 2026
Summary
CVE-2025-59541 is a high-severity CSRF (CWE-352) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires mechanisms to protect session authenticity, directly addressing CSRF by mandating tokens or equivalent protections against forged requests in Chamilo.
Mandates input validation at system entry points, including anti-CSRF tokens to block unauthorized project deletion requests lacking valid tokens.
Requires timely flaw remediation, directly mitigating this CVE by applying the patch in Chamilo 1.11.34 that adds CSRF protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing web app directly enables exploitation via malicious link requiring user interaction.
NVD Description
Chamilo is a learning management system. Prior to version 1.11.34, a Cross-Site Request Forgery (CSRF) vulnerability allows an attacker to delete projects inside a course without the victim’s consent. The issue arises because sensitive actions such as project deletion do…
more
not implement anti-CSRF protections (tokens) and GET based requests. As a result, an authenticated user (Trainer) can be tricked into executing this unwanted action by simply visiting a malicious page. This issue has been patched in version 1.11.34.
Deeper analysisAI
CVE-2025-59541 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting Chamilo, an open-source learning management system. Versions prior to 1.11.34 are vulnerable due to the absence of anti-CSRF protections, such as tokens, on sensitive actions like project deletion within courses. These actions rely on GET-based requests, enabling unauthorized execution when triggered inadvertently.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) with low complexity (AC:L) by tricking an authenticated Trainer user into visiting a malicious webpage (UI:R). The forged request deletes projects inside a course without the victim's consent, leading to high integrity (I:H) and availability (A:H) impacts but no confidentiality loss (C:N), with an unchanged scope (S:U). The CVSS v3.1 base score is 8.1.
The issue was patched in Chamilo version 1.11.34. Mitigation involves upgrading to this version or later. Additional details are available in the GitHub release notes at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34 and the security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpj6-p9m5-q637.
Details
- CWE(s)