{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-59544", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-09-17T17:04:20.374Z", "datePublished": "2026-03-06T03:32:20.180Z", "dateUpdated": "2026-03-09T15:29:09.309Z"}, "containers": {"cna": {"title": "Chamilo: Unauthorized access to update category of any user", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x3h9-h7qf-wwrf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x3h9-h7qf-wwrf"}, {"name": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34", "tags": ["x_refsource_MISC"], "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34"}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"version": "< 1.11.34", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T03:32:20.180Z"}, "descriptions": [{"lang": "en", "value": "Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the \"category_id\" parameter which allows users to update the category of any user by replacing the \"category_id\" parameter. This issue has been patched in version 1.11.34."}], "source": {"advisory": "GHSA-x3h9-h7qf-wwrf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T15:29:02.598291Z", "id": "CVE-2025-59544", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T15:29:09.309Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-59544", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T15:29:02.598291Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T15:29:05.816Z"}}], "cna": {"title": "Chamilo: Unauthorized access to update category of any user", "source": {"advisory": "GHSA-x3h9-h7qf-wwrf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "chamilo", "product": "chamilo-lms", "versions": [{"status": "affected", "version": "< 1.11.34"}]}], "references": [{"url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x3h9-h7qf-wwrf", "name": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x3h9-h7qf-wwrf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34", "name": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the \"category_id\" parameter which allows users to update the category of any user by replacing the \"category_id\" parameter. This issue has been patched in version 1.11.34."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T03:32:20.180Z"}}}, "cveMetadata": {"cveId": "CVE-2025-59544", "state": "PUBLISHED", "dateUpdated": "2026-03-09T15:29:09.309Z", "dateReserved": "2025-09-17T17:04:20.374Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T03:32:20.180Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF6714C4-3D58-43BF-A32C-6D436DB93E01", "versionEndExcluding": "1.11.34", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the \"category_id\" parameter which allows users to update the category of any user by replacing the \"category_id\" parameter. This issue has been patched in version 1.11.34."}, {"lang": "es", "value": "Chamilo es un sistema de gesti\u00f3n del aprendizaje. Antes de la versi\u00f3n 1.11.34, la funcionalidad para que el usuario actualice la categor\u00eda no implementa comprobaciones de autorizaci\u00f3n para el par\u00e1metro 'category_id', lo que permite a los usuarios actualizar la categor\u00eda de cualquier usuario al reemplazar el par\u00e1metro 'category_id'. Este problema ha sido parcheado en la versi\u00f3n 1.11.34."}], "id": "CVE-2025-59544", "lastModified": "2026-03-09T17:32:34.723", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-06T04:16:02.463", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-x3h9-h7qf-wwrf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.11.34)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "chamilo-lms", "source": "cna", "vendor": "chamilo"}, "product": "chamilo_lms", "vendor": "chamilo"}], "created": "2026-03-06T14:56:02.424592+00:00", "updated": "2026-03-06T14:56:02.424669+00:00", "vendors": ["chamilo", "chamilo$PRODUCT$chamilo_lms"]}