Plattform
php
Komponente
chamilo-lms
Behoben in
1.11.1
CVE-2025-66447 affects Chamilo LMS, a popular learning management system. A flaw in versions 1.11.0 through 2.0-beta.1 allows an attacker to trigger a malicious redirect by manipulating the 'redirect' parameter within the /login endpoint. This vulnerability has been resolved in version 2.0-beta.2, providing a critical security update for Chamilo users.
The vulnerability stems from insufficient input validation on the 'redirect' parameter in the /login endpoint. An attacker can craft a malicious URL containing a crafted 'redirect' parameter that points to an arbitrary external website. When a user clicks on a link containing this malicious URL or is otherwise directed to the login page with the crafted parameter, they will be redirected to the attacker-controlled site. This could lead to phishing attacks, malware distribution, or other malicious activities. The potential impact is significant, as it can compromise user credentials and expose the entire Chamilo LMS environment to further attacks.
CVE-2025-66447 was published on 2026-04-10. The CVSS score is pending evaluation. There are currently no publicly known exploits or active campaigns targeting this vulnerability. It is not listed on KEV or EPSS, suggesting a low probability of near-term exploitation. Monitor Chamilo's security advisories and relevant threat intelligence feeds for updates.
Exploit-Status
EPSS
0.04% (12% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-66447 is upgrading Chamilo LMS to version 2.0-beta.2 or later. If an immediate upgrade is not possible, implement temporary workarounds. These include restricting access to the /login endpoint through a Web Application Firewall (WAF) or proxy server, specifically blocking requests with suspicious values in the 'redirect' parameter. Additionally, carefully review and sanitize any user-provided input used in redirection logic. After upgrading, verify the fix by attempting to access the /login endpoint with a crafted 'redirect' parameter and confirming that the redirection is blocked or handled securely.
Actualice Chamilo LMS a la versión 2.0-beta.2 o posterior para mitigar la vulnerabilidad de redirección sin validación en la página de inicio de sesión. Esta actualización corrige el problema al validar correctamente la URL de destino antes de realizar la redirección.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66447 is a vulnerability in Chamilo LMS allowing attackers to redirect users to malicious websites via the /login endpoint. It affects versions 1.11.0 through 2.0-beta.1, enabling potential phishing or malware attacks.
You are affected if you are running Chamilo LMS versions 1.11.0 up to, but not including, 2.0-RC.3. Check your version and upgrade immediately if vulnerable.
Upgrade Chamilo LMS to version 2.0-beta.2 or later. As a temporary workaround, implement a WAF rule to block malicious redirects or sanitize the redirect parameter.
As of the current date, there is no public evidence of CVE-2025-66447 being actively exploited, but continuous monitoring is recommended.
Refer to the official Chamilo LMS security advisories on their website for the latest information and updates regarding CVE-2025-66447.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.