CVE-2025-52563 is a reflected cross-site scripting (XSS) vulnerability identified in Chamilo LMS, an open-source learning management system widely used in educational institutions. The vulnerability exists in versions prior to 1.11.30 due to improper neutralization of user-supplied input in the 'page' parameter of the session/add_users_to_session.php endpoint. Specifically, the application fails to adequately sanitize this parameter before reflecting it in the web page output, allowing attackers to inject malicious JavaScript code. When a victim user interacts with a crafted URL containing the malicious payload, the injected script executes in their browser context. This can lead to theft of session cookies, enabling account hijacking, or execution of unauthorized actions on behalf of the user. The vulnerability requires no authentication, increasing its risk, but does require user interaction (clicking a malicious link). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and low impact on confidentiality and integrity but no impact on availability. The issue was patched in Chamilo LMS version 1.11.30, which properly sanitizes the input to prevent script injection. No known exploits have been reported in the wild as of the publication date. The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), CWE-80 (Improper Neutralization of Script-Related HTML Tags), and CWE-87 (Improper Neutralization of Alternate XSS Vectors).

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript in the context of the victim's browser when interacting with the vulnerable Chamilo LMS instance. This can lead to session hijacking, allowing attackers to impersonate legitimate users, potentially including administrators or instructors. Attackers could also steal sensitive information such as credentials or personal data, manipulate LMS content, or perform unauthorized actions on behalf of users. For educational institutions relying on Chamilo LMS, this could disrupt learning activities, compromise student and staff data privacy, and damage institutional reputation. Although the vulnerability does not directly affect system availability, the indirect consequences of compromised accounts and data integrity could be significant. The medium CVSS score reflects moderate risk, but the widespread use of Chamilo LMS in various countries' education sectors increases the potential attack surface. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

1. Immediate upgrade: Organizations should upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability is patched. 2. Input validation: Implement strict server-side input validation and sanitization for all user-supplied parameters, especially those reflected in web pages. 3. Content Security Policy (CSP): Deploy a strong CSP to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. User awareness: Educate users to avoid clicking suspicious links and to report unusual LMS behavior. 5. Web Application Firewall (WAF): Configure WAF rules to detect and block common XSS attack patterns targeting the vulnerable endpoint. 6. Regular security assessments: Conduct periodic vulnerability scans and penetration tests focusing on web application input handling. 7. Session management: Implement secure cookie attributes (HttpOnly, Secure, SameSite) to limit session cookie theft impact. 8. Monitoring and logging: Enable detailed logging of web requests to detect potential exploitation attempts and respond promptly.