Chamilo LMS, an open-source learning management system, suffers from a stored cross-site scripting vulnerability identified as CVE-2025-59540. This vulnerability exists in versions prior to 1.11.34 and is caused by improper neutralization of script-related HTML tags (CWE-80/CWE-79) in the feedback input field on the exercise history page. Specifically, when a staff user submits feedback containing malicious JavaScript, the input is stored in the database without proper encoding or sanitization. When an administrator with higher privileges accesses the exercise history page, the malicious script executes in their browser context. This can lead to session hijacking, privilege escalation, or unauthorized actions within the LMS. The vulnerability requires a staff-level authenticated user to inject the payload and an admin user to view the malicious content, implying a limited attack surface but significant impact if exploited. The issue has been addressed in Chamilo LMS version 1.11.34 by implementing proper output encoding and input validation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond staff role, user interaction required, and high scope impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability poses a risk to organizations using vulnerable versions of Chamilo LMS.

The impact of CVE-2025-59540 is primarily on the confidentiality and integrity of the Chamilo LMS environment. Successful exploitation allows a staff user to execute arbitrary JavaScript in the context of an admin user’s browser, potentially leading to session hijacking, theft of admin credentials, unauthorized administrative actions, or deployment of further malware. This could compromise the entire LMS platform, affecting sensitive educational data, user privacy, and system integrity. Organizations relying on Chamilo LMS for educational or training purposes may face disruption, data breaches, or loss of trust. Although exploitation requires authenticated staff access and user interaction, the risk is significant in environments with multiple privilege levels and sensitive data. The vulnerability could also be leveraged as a foothold for broader network attacks if admins have elevated access to backend systems. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed and patched.

To mitigate this vulnerability, organizations should immediately upgrade Chamilo LMS to version 1.11.34 or later, where the issue is patched. Until upgrading, restrict staff user permissions to the minimum necessary to reduce the risk of malicious input. Implement web application firewall (WAF) rules to detect and block suspicious script injection attempts targeting the exercise history feedback input. Conduct regular security training for administrators to recognize and avoid interacting with suspicious content. Enable Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the LMS web application. Review and harden input validation and output encoding practices across all user input fields in Chamilo LMS deployments. Monitor logs for unusual activity related to feedback submissions and admin page accesses. Finally, consider isolating the LMS environment and limiting admin access to trusted networks to reduce exposure.