Platform
php
Component
chamilo-lms
Fixed in
1.11.35
CVE-2025-59542 describes a stored cross-site scripting (XSS) vulnerability affecting Chamilo LMS versions prior to 1.11.34. This vulnerability allows an attacker to inject malicious JavaScript code, potentially leading to account takeover. The vulnerability has been patched in version 1.11.34, and users are strongly advised to upgrade.
The impact of CVE-2025-59542 is significant. An attacker with a low-privileged account, such as a trainer, can exploit this vulnerability to inject malicious JavaScript into the course learning path Settings field. When other users, including administrators, view the course information page, the injected script executes in their context. This allows the attacker to steal sensitive session cookies or tokens, effectively enabling account takeover (ATO) of higher-privileged accounts. The potential for unauthorized access to sensitive data and system control makes this a critical security risk. Successful exploitation could lead to data breaches, system compromise, and disruption of learning activities.
CVE-2025-59542 was published on 2026-03-06. Currently, there are no publicly known active exploitation campaigns targeting this vulnerability. The vulnerability's relatively straightforward exploitation path and the potential for significant impact suggest it could become a target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59542 is to upgrade Chamilo LMS to version 1.11.34 or later. Before upgrading, it's crucial to back up your Chamilo LMS installation to allow for rollback if issues arise. While a direct fix is available through upgrading, consider implementing input validation and output encoding on user-supplied data within the learning path settings to further reduce the attack surface. Monitor web application firewalls (WAFs) for suspicious JavaScript injection attempts targeting the course learning path settings endpoint. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the course learning path Settings field and verifying that it does not execute.
Update Chamilo LMS to version 1.11.34 or higher. This version contains a fix for the stored XSS vulnerability in course learning paths.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59542 is a stored cross-site scripting (XSS) vulnerability in Chamilo LMS versions prior to 1.11.34, allowing attackers to inject malicious JavaScript.
You are affected if you are running Chamilo LMS version 1.11.34 or earlier. Upgrade to version 1.11.34 to mitigate the risk.
Upgrade Chamilo LMS to version 1.11.34 or later. Back up your installation before upgrading.
There are currently no publicly known active exploitation campaigns, but the vulnerability's impact suggests it could become a target.
Refer to the official Chamilo security advisory for details and further guidance: [https://www.chamilo.org/en/security-advisories](https://www.chamilo.org/en/security-advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.