Chamilo LMS, a widely used open-source learning management system, suffers from a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2025-59541. This vulnerability exists in versions prior to 1.11.34 and allows an attacker to perform unauthorized project deletions within a course by exploiting the absence of anti-CSRF tokens and the use of GET requests for sensitive operations. Specifically, authenticated users with trainer privileges can be coerced into executing these destructive actions simply by visiting a maliciously crafted webpage, which triggers the deletion request without their explicit consent. The root cause is the failure to implement CSRF protections on critical endpoints and the unsafe use of GET methods for state-changing requests, violating secure web application design principles. The vulnerability has a CVSS 3.1 score of 8.1, reflecting its high severity due to the ease of exploitation (no privileges required beyond authentication), the lack of user interaction beyond visiting a page, and the significant impact on integrity and availability of course data. While no public exploits have been reported, the vulnerability poses a serious risk to educational institutions and organizations relying on Chamilo LMS for course management. The vendor addressed the issue in version 1.11.34 by adding proper anti-CSRF tokens and presumably changing request methods for sensitive actions.

The primary impact of CVE-2025-59541 is the unauthorized deletion of projects within courses, which compromises the integrity and availability of educational content. This can lead to loss of critical instructional materials, disruption of course delivery, and potential reputational damage for affected institutions. Since the vulnerability requires an authenticated trainer account, attackers must first compromise or socially engineer such credentials or rely on insider threats. The ease of exploitation via a simple webpage visit increases the risk of widespread attacks, especially in environments where users may be less security-aware. Organizations could face operational downtime, data loss, and the administrative burden of restoring deleted content. Additionally, the trust in the LMS platform could be undermined, affecting user confidence and compliance with educational data protection standards.

Organizations should immediately upgrade Chamilo LMS to version 1.11.34 or later to apply the official patch that addresses this CSRF vulnerability. In addition to patching, administrators should audit all sensitive actions within the LMS to ensure they use POST requests combined with anti-CSRF tokens to prevent similar issues. Implementing Content Security Policy (CSP) headers can help reduce the risk of malicious cross-site requests. User training to recognize phishing and suspicious links is critical to reduce the likelihood of users visiting malicious pages. Monitoring web server logs for unusual deletion requests and enabling multi-factor authentication (MFA) for trainer accounts can further reduce risk. Regular backups of course data should be maintained to enable recovery in case of data loss. Finally, security testing and code reviews should be integrated into the development lifecycle to prevent recurrence of such vulnerabilities.