Chamilo LMS, an open-source learning management system widely used in educational institutions, contains a reflected cross-site scripting vulnerability identified as CVE-2025-52475. This vulnerability arises from improper neutralization of user-supplied input in the keyword_inactive parameter of the admin/user_list.php endpoint. Prior to version 1.11.30, this parameter is not sanitized correctly, allowing attackers to craft URLs that inject malicious JavaScript code. When an administrator or user with access to this endpoint clicks such a URL, the injected script executes in their browser context. This reflected XSS can be leveraged to steal session cookies, perform actions on behalf of the user, or deliver further malware payloads. The vulnerability does not require authentication or privileges to exploit but does require user interaction. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and low impact on integrity and availability but no impact on confidentiality. The issue was reserved in June 2025 and published in March 2026, with no known active exploitation reported. The vulnerability has been addressed in Chamilo LMS version 1.11.30 by implementing proper input sanitization and output encoding for the affected parameter.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions within Chamilo LMS installations running vulnerable versions. Successful exploitation can lead to session hijacking, allowing attackers to impersonate administrators or other privileged users. This can result in unauthorized access to sensitive educational data, manipulation of user accounts, or disruption of LMS operations. While the availability impact is low, the breach of user trust and potential data leakage can be significant, especially in academic environments handling personal and institutional data. Since the vulnerability requires user interaction, phishing or social engineering campaigns targeting LMS administrators are likely attack vectors. Organizations relying on Chamilo LMS for critical educational services may face reputational damage and compliance risks if exploited. The medium CVSS score reflects the moderate risk level, balancing ease of exploitation with limited impact scope.

Organizations should immediately upgrade Chamilo LMS installations to version 1.11.30 or later, where the vulnerability is patched. Until upgrading is possible, administrators should implement strict input validation and output encoding on the keyword_inactive parameter at the web application firewall (WAF) or reverse proxy level to block malicious payloads. Additionally, deploying Content Security Policy (CSP) headers can help mitigate the impact of injected scripts by restricting script execution sources. Educate LMS administrators and users to be cautious of unsolicited links, especially those targeting administrative interfaces. Regularly audit and monitor LMS logs for unusual access patterns or suspicious URL requests. Employ multi-factor authentication (MFA) for administrative accounts to reduce the risk of session hijacking consequences. Finally, conduct security assessments and penetration testing focused on web application vulnerabilities to identify and remediate similar issues proactively.