Chamilo LMS, an open-source learning management system widely used in educational institutions, is affected by a reflected cross-site scripting (XSS) vulnerability identified as CVE-2025-52476. This vulnerability exists in versions prior to 1.11.30 due to improper neutralization of user-supplied input in the keyword_active parameter within the admin/user_list.php script. Specifically, the application fails to adequately sanitize this parameter before reflecting it in the web page output, allowing an attacker to inject malicious JavaScript code. When a victim user, typically an administrator or staff member with access to the admin interface, clicks on a crafted URL containing the malicious payload, the script executes in their browser context. This can lead to theft of session cookies, enabling account takeover, or execution of arbitrary actions with the victim’s privileges. The vulnerability requires no authentication to exploit but does require user interaction (clicking the malicious link). The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N) reflects network attack vector, low attack complexity, no privileges required, user interaction needed, and limited impact on integrity. The issue was patched in Chamilo LMS version 1.11.30, which properly sanitizes the input to prevent script injection. No public exploits have been reported yet, but the vulnerability poses a moderate risk given the sensitive nature of LMS environments and the potential for privilege escalation or data theft.

The primary impact of this vulnerability is on the confidentiality and integrity of user sessions and data within the Chamilo LMS environment. Successful exploitation can lead to session hijacking, allowing attackers to impersonate administrative users and potentially modify course content, user data, or system settings. This can disrupt educational operations, compromise student and staff information, and damage institutional reputation. Since the vulnerability is reflected XSS, it requires social engineering to lure users into clicking malicious links, but the lack of authentication requirement lowers the barrier for attackers. The availability impact is minimal as the vulnerability does not directly cause denial of service. However, indirect impacts such as administrative account compromise could lead to broader system misuse or downtime. Organizations relying on Chamilo LMS for critical educational delivery or data management face moderate risk, especially if they have not applied the patch or implemented compensating controls.

1. Upgrade Chamilo LMS to version 1.11.30 or later immediately to apply the official patch that properly sanitizes the keyword_active parameter. 2. Implement strict input validation and output encoding on all user-supplied data, especially parameters reflected in web pages. 3. Deploy a Content Security Policy (CSP) to restrict execution of unauthorized scripts, mitigating the impact of potential XSS payloads. 4. Educate administrative users and staff about the risks of clicking unknown or suspicious links, reducing the likelihood of successful social engineering. 5. Monitor web server logs and application logs for unusual URL patterns or repeated attempts to exploit the keyword_active parameter. 6. Consider using web application firewalls (WAFs) with rules designed to detect and block reflected XSS attempts targeting Chamilo LMS. 7. Regularly audit and test the LMS environment for other potential input validation issues to proactively prevent similar vulnerabilities.