Chamilo Improper Enforcement of Behavioral Workflow Vulnerability - CVE-2025-52469

Chamilo is a learning management system. Prior to version 1.11.30 a logic vulnerability in the friend request workflow of Chamilos social network module allows an authenticated user to forcibly add any user as a friend by directly calling the AJAX endpoint. The attacker can bypass the normal flow of sending and accepting friend requests and even add non-existent users. This breaks access control and social interaction logic with potential privacy implications. This issue has been patched in version 1.11.30.