Chamilo LMS, an open-source learning management system widely used in educational institutions, suffers from a reflected cross-site scripting (XSS) vulnerability identified as CVE-2025-52475. This vulnerability affects versions prior to 1.11.30 and is located in the admin/user_list.php endpoint, specifically in the handling of the keyword_inactive parameter. The parameter is not properly sanitized before being reflected in the web page output, allowing an attacker to craft a malicious URL embedding JavaScript code. When an administrator or user with access to this endpoint clicks the malicious link, the injected script executes in their browser context. This can lead to theft of session cookies, unauthorized actions performed on behalf of the user, or redirection to malicious sites. The vulnerability does not require authentication or privileges to exploit but does require user interaction (clicking the crafted URL). The flaw was addressed and patched in Chamilo LMS version 1.11.30 by implementing proper input validation and output encoding to neutralize injected scripts. The CVSS 4.0 base score of 5.1 reflects a medium severity level, indicating moderate impact with relatively easy exploitation over the network without authentication. No known active exploits have been reported as of now. This vulnerability falls under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions and data within Chamilo LMS environments. Successful exploitation allows attackers to execute arbitrary JavaScript in the context of the victim’s browser, potentially leading to session hijacking, credential theft, unauthorized actions, or phishing via redirection. Educational institutions and organizations relying on Chamilo LMS for training and learning management could face data breaches, loss of user trust, and disruption of services. Although the vulnerability does not directly affect availability, indirect impacts such as defacement or injection of malicious content could degrade user experience and trust. Since the vulnerability requires user interaction but no authentication, it can be exploited by sending crafted URLs via email or other communication channels to administrators or users with access to the vulnerable endpoint. The medium severity score reflects that while the impact is significant, exploitation complexity and scope are moderate. Organizations with large user bases or sensitive educational data are at higher risk of reputational damage and compliance issues if exploited.

The most effective mitigation is to upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability has been patched. For organizations unable to immediately update, implement the following specific measures: 1) Apply strict input validation and output encoding on the keyword_inactive parameter at the web application firewall (WAF) or reverse proxy level to block malicious script payloads. 2) Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. 3) Educate administrators and users to avoid clicking suspicious or unsolicited URLs, especially those targeting admin endpoints. 4) Monitor web server logs for unusual requests to admin/user_list.php containing suspicious parameters. 5) Limit administrative access to trusted networks and IPs to reduce exposure. 6) Regularly audit and review LMS configurations and user privileges to minimize attack surface. These targeted mitigations complement patching and reduce the window of exposure.