Chamilo is an open-source learning management system widely used in educational institutions and organizations. The vulnerability identified as CVE-2025-52469 stems from improper enforcement of the behavioral workflow in the social network module's friend request feature. Specifically, prior to version 1.11.30, the system fails to properly validate the workflow steps when processing friend requests. An authenticated attacker can directly call the AJAX endpoint responsible for adding friends, bypassing the intended process of sending and accepting friend requests. This allows the attacker to forcibly add any user as a friend without their consent, including users that do not exist in the system. This flaw violates access control policies and undermines the integrity of social interactions within the platform. The vulnerability is classified under CWE-841 (Improper Enforcement of Behavioral Workflow). The CVSS v3.1 base score is 7.1, with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N, indicating network attack vector, low attack complexity, requiring low privileges (authenticated user), no user interaction, unchanged scope, low confidentiality impact, high integrity impact, and no availability impact. Although no exploits have been reported in the wild, the vulnerability poses a significant risk to user privacy and trust in the platform. The vendor has addressed this issue in Chamilo LMS version 1.11.30 by enforcing proper workflow validation and access control checks on the friend request AJAX endpoint.

The primary impact of this vulnerability is on the integrity of the social network module within Chamilo LMS. Attackers can manipulate friend relationships without user consent, potentially leading to unauthorized access to user-related social data or interactions that rely on friend relationships. This can erode user trust and privacy, as users may be unknowingly connected to malicious or unauthorized accounts. While confidentiality impact is rated low, the breach of social interaction logic can facilitate further social engineering or targeted attacks within the LMS environment. Since the vulnerability requires authentication, the attack surface is limited to registered users, but given that many LMS deployments have large user bases, the scope can be significant. There is no direct impact on system availability. Organizations relying on Chamilo LMS for educational or training purposes may face reputational damage and compliance risks if user privacy is compromised. The lack of user interaction requirement makes exploitation straightforward for authenticated users, increasing the likelihood of abuse if the system is not patched.

Organizations should upgrade Chamilo LMS installations to version 1.11.30 or later, where the vulnerability has been patched. Until upgrade is possible, administrators can implement strict monitoring and logging of AJAX endpoint calls related to friend requests to detect anomalous behavior. Access controls should be reviewed to ensure only authorized users can invoke sensitive endpoints. Additionally, consider disabling or restricting the social network module if it is not essential to reduce the attack surface. User education on recognizing suspicious friend connections can help mitigate social engineering risks. Regularly auditing user relationships and cleaning up unauthorized friend links can limit the impact of exploitation. Finally, maintain up-to-date backups and incident response plans to quickly address any misuse stemming from this vulnerability.