CVE-2025-69581

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks.

An issue was discovered in Chamillo LMS 1.11.2. The Social Network /personal_data endpoint exposes full sensitive user information even after logout because proper cache-control is missing. Using the browser back button restores all personal data, allowing unauthorized users on the same device to view confidential information. This leads to profiling, impersonation, targeted attacks, and significant privacy risks.

Se descubrió un problema en Chamillo LMS 1.11.2. El endpoint /personal_data de la Red Social expone información sensible completa del usuario incluso después de cerrar sesión porque falta un control de caché adecuado. Usar el botón de retroceso del navegador restaura todos los datos personales, permitiendo a usuarios no autorizados en el mismo dispositivo ver información confidencial. Esto conduce a la elaboración de perfiles, suplantación de identidad, ataques dirigidos y riesgos significativos para la privacidad.