CVE-2024-30618 is a stored Cross-Site Scripting (XSS) vulnerability identified in Chamilo LMS version 1.11.26, a widely used open-source learning management system. The vulnerability arises from insufficient input validation and output encoding of the 'content' parameter in the 'group_topics.php' script. An attacker can craft a malicious payload containing JavaScript code and inject it into the 'content' field, which is then stored on the server and rendered in the web interface when other users access the affected page. This stored XSS flaw allows arbitrary script execution in the context of the victim's browser session, potentially leading to session hijacking, theft of sensitive information such as cookies or credentials, and unauthorized actions performed on behalf of the user. The attack vector is remote and does not require authentication, but user interaction is necessary to trigger the malicious script. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.1, indicating a medium severity level, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), scope changed (S:C), and impacts on confidentiality and integrity but not availability. No patches or official fixes are linked yet, and no known exploits have been reported in the wild as of the publication date. This vulnerability poses a significant risk to organizations relying on Chamilo LMS for educational and training purposes, especially where sensitive user data and authentication tokens are involved.

The primary impact of CVE-2024-30618 is on the confidentiality and integrity of user data within Chamilo LMS environments. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users, potentially gaining unauthorized access to course materials, personal information, or administrative functions. This can result in data leakage, unauthorized modifications, and disruption of educational activities. Although availability is not directly affected, the trustworthiness of the platform can be compromised, leading to reputational damage and potential regulatory compliance issues related to data protection. Since the vulnerability requires user interaction but no authentication, it can be exploited by external attackers targeting students, instructors, or administrators. The scope change in the CVSS vector indicates that the vulnerability can affect resources beyond the initially vulnerable component, increasing the potential attack surface. Organizations worldwide using Chamilo LMS, especially those in education sectors with sensitive or regulated data, face risks of targeted attacks or broader exploitation campaigns once public exploit code becomes available.

To mitigate CVE-2024-30618, organizations should first monitor Chamilo LMS official channels for patches or updates addressing this vulnerability and apply them promptly. In the absence of an official patch, administrators can implement input validation and output encoding controls at the application or web server level to sanitize the 'content' parameter, preventing malicious script injection. Employing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting 'group_topics.php' can provide interim protection. Additionally, enforcing Content Security Policy (CSP) headers can limit the execution of unauthorized scripts in users' browsers. User awareness training to recognize suspicious links or content within the LMS can reduce the likelihood of successful exploitation. Regular security assessments and code reviews of custom LMS integrations or plugins should be conducted to identify similar vulnerabilities. Finally, restricting the ability to post or edit content in sensitive areas to trusted users can minimize attack vectors.