CVE-2025-59541
📋 TL;DR
This CSRF vulnerability in Chamilo LMS allows attackers to trick authenticated trainers into deleting projects within courses without their consent. The vulnerability exists because project deletion actions lack anti-CSRF protections and use GET requests. Only authenticated trainers who can access course projects are affected.
💻 Affected Systems
- Chamilo LMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious actors could systematically delete all projects across multiple courses, causing significant data loss and disruption to educational activities.
Likely Case
Targeted deletion of specific projects through social engineering, leading to loss of student work and course materials.
If Mitigated
No impact if proper CSRF tokens are implemented and POST requests are required for destructive actions.
🎯 Exploit Status
Exploitation requires social engineering to trick authenticated trainers but uses simple CSRF techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.34
Vendor Advisory: https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-rpj6-p9m5-q637
Restart Required: No
Instructions:
1. Backup your Chamilo installation and database. 2. Download version 1.11.34 from the official repository. 3. Replace existing files with patched version. 4. Run database update scripts if required. 5. Verify functionality.
🔧 Temporary Workarounds
Implement CSRF Protection
allAdd CSRF tokens to project deletion endpoints and change from GET to POST requests
Web Application Firewall Rules
allConfigure WAF to block suspicious GET requests to project deletion endpoints
🧯 If You Can't Patch
- Implement strict SameSite cookie policies and require re-authentication for destructive actions
- Educate trainers about CSRF risks and safe browsing practices
🔍 How to Verify
Check if Vulnerable:
Check if Chamilo version is below 1.11.34 and inspect project deletion endpoints for missing CSRF tokensCheck Version:
Check Chamilo admin panel or inspect main/inc/conf/configuration.php for version informationVerify Fix Applied:
Verify version is 1.11.34 or higher and test that project deletion requires CSRF tokens and POST requests📡 Detection & Monitoring
Log Indicators:
- Multiple project deletion requests from same user in short timeframe
- GET requests to project deletion endpoints
Network Indicators:
- Unusual referrer headers in project deletion requests
- Requests to project deletion without corresponding CSRF tokens
SIEM Query:
source="chamilo_logs" AND (uri="*delete_project*" OR uri="*project/delete*") AND method="GET"