Chamilo LMS, a widely used open-source learning management system, suffers from a stored Cross-Site Scripting (XSS) vulnerability identified as CVE-2025-55289. This vulnerability exists in versions prior to 1.11.34, notably version 1.11.32, within the social network and internal messaging components of the platform. The root cause is improper neutralization of user-supplied input during web page generation, classified under CWE-79. An attacker with at least limited privileges can inject arbitrary JavaScript code into these features, which is then stored persistently on the server. When an authenticated user, including administrators, accesses the affected pages, the malicious script executes in their browser under the LMS domain context. This execution allows the attacker to hijack user sessions, perform unauthorized actions with the victim’s privileges, exfiltrate sensitive data, and potentially propagate the attack to other users by injecting further payloads. The vulnerability does not require user interaction beyond viewing the malicious content, and no additional authentication bypass is needed beyond the initial injection capability. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no user interaction requirement. Although no known exploits are currently in the wild, the vulnerability poses a significant risk to organizations relying on Chamilo LMS for educational and training purposes. The vendor has addressed the issue in version 1.11.34, and users are strongly advised to upgrade to this or later versions to remediate the vulnerability.

The impact of CVE-2025-55289 is substantial for organizations using vulnerable versions of Chamilo LMS. Successful exploitation can lead to full account takeover of any authenticated user, including administrators, resulting in unauthorized access to sensitive educational data, user information, and potentially confidential organizational content. Attackers can manipulate LMS functionalities, disrupt learning activities, and compromise the integrity of training materials. The ability to exfiltrate data and perform actions with elevated privileges increases the risk of data breaches and operational disruption. Additionally, the stored nature of the XSS allows the attack to persist and spread among users, magnifying the potential damage. Educational institutions, corporate training departments, and any entities relying on Chamilo LMS for critical learning infrastructure face risks to confidentiality, integrity, and availability. The vulnerability could also be leveraged for broader network pivoting if attackers gain administrative control. Given the widespread use of Chamilo in various countries, the threat has a global reach, particularly affecting regions with significant adoption of open-source LMS platforms.

To mitigate CVE-2025-55289, organizations should immediately upgrade Chamilo LMS to version 1.11.34 or later, where the vulnerability has been patched. Beyond patching, administrators should audit and sanitize all user-generated content in social network and messaging features to remove any potentially malicious scripts that may have been injected prior to the update. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the LMS domain. Employ web application firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting Chamilo LMS. Conduct regular security training for LMS administrators and users to recognize suspicious content and report anomalies. Review and tighten user privilege assignments to minimize the number of users who can post content that is rendered without proper sanitization. Finally, implement robust session management controls, such as secure cookies and session expiration, to reduce the impact of session hijacking attempts.