Chamilo LMS, an open-source learning management system, prior to version 1.11.34, contains a vulnerability identified as CVE-2025-59544, classified under CWE-862 (Missing Authorization). The issue arises because the functionality that allows users to update the 'category_id' parameter does not enforce authorization checks. This means any authenticated or unauthenticated user can manipulate the 'category_id' parameter to change the category assignment of any user within the system. The vulnerability is remotely exploitable without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact primarily affects the integrity and confidentiality of user data by allowing unauthorized modifications to user categorizations, which could be leveraged for privilege escalation or to disrupt organizational user management policies. The vulnerability does not affect system availability. The flaw was addressed and patched in Chamilo LMS version 1.11.34. No known exploits have been reported in the wild to date, but the ease of exploitation and potential impact warrant prompt remediation. The vulnerability affects all Chamilo LMS installations running versions earlier than 1.11.34.

The vulnerability allows unauthorized users to modify the category assignments of any user in the Chamilo LMS, potentially leading to unauthorized access to resources or data if category assignments correlate with permissions or access controls. This undermines the integrity of user data and could facilitate privilege escalation or unauthorized data exposure. Organizations relying on Chamilo LMS for educational or training purposes may experience disruption in user role management and trustworthiness of user categorizations. While the vulnerability does not directly impact system availability, the unauthorized changes could indirectly affect operational processes and compliance with data governance policies. The lack of authentication or user interaction required for exploitation increases the risk of automated or widespread attacks, especially in environments with publicly accessible Chamilo LMS instances.

The primary mitigation is to upgrade Chamilo LMS to version 1.11.34 or later, where the authorization checks for the 'category_id' parameter have been implemented. Organizations should also audit current user category assignments to detect any unauthorized changes that may have occurred prior to patching. Implementing additional access control layers or monitoring mechanisms to log and alert on category changes can help detect exploitation attempts. Restricting network access to the LMS to trusted users and IP ranges can reduce exposure. Regularly reviewing and tightening user permissions and roles within the LMS will minimize the impact of unauthorized modifications. Finally, organizations should maintain an incident response plan to address any suspicious activity related to user management within the LMS.