CVE-2025-52563 is a reflected cross-site scripting (XSS) vulnerability identified in Chamilo LMS, an open-source learning management system widely used in educational institutions. The vulnerability exists in versions prior to 1.11.30 due to insufficient sanitization of the 'page' parameter in the session/add_users_to_session.php endpoint. This improper neutralization of input (CWE-79) allows an attacker to craft a malicious URL containing executable JavaScript code that, when accessed by a user, runs in their browser context. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), CWE-80 (Improper Neutralization of Script-Related HTML Tags), and CWE-87 (Improper Neutralization of Alternate XSS Vectors). The CVSS 4.0 vector indicates the attack is network exploitable (AV:N), requires no privileges (PR:N), no authentication (AT:N), but does require user interaction (UI:A). The impact on confidentiality and integrity is low, with no availability impact. This vulnerability could be leveraged for session hijacking, stealing cookies, or conducting phishing attacks by injecting malicious scripts. The vendor has addressed the issue in version 1.11.30, and no known exploits have been reported in the wild as of the publication date. The vulnerability's medium severity score (5.1) reflects its moderate risk level, emphasizing the need for timely patching in affected deployments.

The primary impact of CVE-2025-52563 is the potential execution of malicious scripts in the browsers of users interacting with vulnerable Chamilo LMS instances. This can lead to session hijacking, theft of authentication tokens or cookies, unauthorized actions performed on behalf of users, and phishing attacks that could compromise user credentials. While the vulnerability does not directly affect system availability or integrity of the LMS backend, the compromise of user sessions or credentials can lead to unauthorized access to sensitive educational data and user information. Educational institutions and organizations relying on Chamilo LMS for training and learning management could face reputational damage, data privacy violations, and potential regulatory consequences if user data is exposed. The requirement for user interaction (clicking a malicious link) somewhat limits the scope of exploitation but does not eliminate risk, especially in environments with large user bases and potential for social engineering. The absence of known exploits in the wild reduces immediate risk but does not preclude future attacks, particularly as the vulnerability is publicly known and patched.

To mitigate CVE-2025-52563, organizations should immediately upgrade Chamilo LMS installations to version 1.11.30 or later, where the vulnerability has been patched. In addition to patching, administrators should implement strict input validation and output encoding for all user-supplied parameters, especially those reflected in web pages. Employing Content Security Policy (CSP) headers can help reduce the impact of potential XSS by restricting the execution of unauthorized scripts. Regular security audits and penetration testing focused on input sanitization should be conducted to identify similar vulnerabilities. User education on the risks of clicking unsolicited or suspicious links can reduce the likelihood of successful exploitation. Monitoring web server logs for unusual URL patterns targeting the vulnerable endpoint may help detect attempted exploitation. Finally, consider deploying web application firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting Chamilo LMS endpoints.