Platform
php
Component
chamilo-lms
Fixed in
1.11.1
CVE-2025-66447 describes an open redirect vulnerability discovered in Chamilo LMS. This flaw allows an attacker to redirect users to arbitrary URLs via the redirect parameter in the /login endpoint. The vulnerability affects versions 1.11.0 and later up to, but not including, 2.0-RC.3. A fix is available in version 2.0-beta.2.
An attacker can exploit this open redirect vulnerability to craft malicious links that, when clicked by a user, redirect them to a phishing site or a site hosting malware. This could lead to credential theft, malware infection, or other malicious actions. The impact is amplified if the Chamilo LMS is used within an organization where users trust the system and are less likely to scrutinize links originating from it. Successful exploitation could damage the organization's reputation and compromise sensitive data.
As of the publication date, there is no public evidence of CVE-2025-66447 being actively exploited. The vulnerability is not listed on KEV (Known Exploited Vulnerabilities) as of this writing. The EPSS (Exploit Prediction Scoring System) score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66447 is to upgrade Chamilo LMS to version 2.0-beta.2 or later. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block requests containing the redirect parameter in the /login endpoint. Alternatively, you could implement input validation on the server-side to sanitize the redirect parameter and prevent it from containing arbitrary URLs. After upgrading, verify the fix by attempting to access a non-existent URL through the /login endpoint with a redirect parameter; the system should not redirect to an external site.
Actualice Chamilo LMS a la versión 2.0-beta.2 o posterior para mitigar la vulnerabilidad de redirección sin validación en la página de inicio de sesión. Esta actualización corrige el problema al validar correctamente la URL de destino antes de realizar la redirección.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66447 is a vulnerability in Chamilo LMS allowing attackers to redirect users to malicious websites via the /login endpoint. It affects versions 1.11.0 through 2.0-beta.1, enabling potential phishing or malware attacks.
You are affected if you are running Chamilo LMS versions 1.11.0 up to, but not including, 2.0-RC.3. Check your version and upgrade immediately if vulnerable.
Upgrade Chamilo LMS to version 2.0-beta.2 or later. As a temporary workaround, implement a WAF rule to block malicious redirects or sanitize the redirect parameter.
As of the current date, there is no public evidence of CVE-2025-66447 being actively exploited, but continuous monitoring is recommended.
Refer to the official Chamilo LMS security advisories on their website for the latest information and updates regarding CVE-2025-66447.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.