Plattform
php
Komponente
chamilo-lms
Behoben in
1.11.35
CVE-2025-59542 describes a stored cross-site scripting (XSS) vulnerability affecting Chamilo LMS versions prior to 1.11.34. This vulnerability allows an attacker with a low-privileged account to execute arbitrary JavaScript code in the context of other users, potentially leading to account takeover. The vulnerability has been addressed in version 1.11.34, and users are strongly advised to upgrade.
The impact of this XSS vulnerability is significant. An attacker, even with a low-privileged account like a trainer, can inject malicious JavaScript code into the course learning path Settings field. When other users, including administrators, view the course information page, the injected script executes in their browser context. This allows the attacker to steal sensitive session cookies or tokens, effectively enabling account takeover (ATO) of higher-privileged accounts. Successful ATO grants the attacker full administrative control over the Chamilo LMS instance, potentially leading to data breaches, system compromise, and disruption of learning activities. The potential for widespread impact across an organization's learning environment makes this vulnerability particularly concerning.
CVE-2025-59542 was published on 2026-03-06. No public proof-of-concept (POC) code has been publicly released at the time of writing. The vulnerability's CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation if left unpatched. It is not currently listed on the CISA KEV catalog. Active campaigns targeting Chamilo LMS are not currently known, but the ease of exploitation and the potential for ATO warrant careful monitoring.
Organizations utilizing Chamilo LMS, particularly those with trainers or other low-privileged users who have the ability to modify course learning paths, are at risk. Environments with legacy Chamilo installations or those lacking robust security monitoring practices are especially vulnerable.
• php / web:
grep -r 'learning path Settings field' /var/www/html/chamilo/• generic web:
curl -I 'https://your-chamilo-instance/course/view.php?id=123' | grep -i 'content-type: application/javascript'• generic web:
curl 'https://your-chamilo-instance/course/view.php?id=123' | grep -o '<script.*?>.*?</script>'disclosure
Exploit-Status
EPSS
0.04% (13% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-59542 is to upgrade Chamilo LMS to version 1.11.34 or later. Before upgrading, it's crucial to back up your Chamilo LMS database and configuration files to facilitate a rollback if necessary. While a direct fix is available through upgrading, consider implementing a Web Application Firewall (WAF) with XSS filtering rules as an interim measure to block malicious JavaScript payloads. Regularly review and sanitize user input within the learning path Settings field to reduce the attack surface. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the course learning path Settings field and verifying that it does not execute.
Aktualisieren Sie Chamilo LMS auf Version 1.11.34 oder höher. Diese Version enthält eine Korrektur für die gespeicherte XSS-Schwachstelle in den Kurslernpfaden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59542 is a stored cross-site scripting (XSS) vulnerability in Chamilo LMS versions prior to 1.11.34, allowing attackers to inject malicious JavaScript.
You are affected if you are running Chamilo LMS version 1.11.34 or earlier. Upgrade to version 1.11.34 to mitigate the risk.
Upgrade Chamilo LMS to version 1.11.34 or later. Back up your installation before upgrading.
There are currently no publicly known active exploitation campaigns, but the vulnerability's impact suggests it could become a target.
Refer to the official Chamilo security advisory for details and further guidance: [https://www.chamilo.org/en/security-advisories](https://www.chamilo.org/en/security-advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.