Chamilo LMS, an open-source learning management system, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-59542, classified under CWE-79. This vulnerability exists in versions prior to 1.11.34 and arises due to improper neutralization of user input in the course learning path Settings field. A low-privileged user, such as a trainer, can inject malicious JavaScript code into this field. When other users, including administrators or higher-privileged users, view the course information page, the injected script executes in their browser context. This execution can lead to theft of sensitive session cookies or authentication tokens, enabling attackers to hijack accounts (account takeover). The vulnerability requires the attacker to have at least low-level access to input data and for victims to interact by viewing the compromised page. The CVSS v3.1 score of 9.1 indicates critical severity, with network attack vector, low attack complexity, privileges required at a low level, and user interaction required. The scope is changed as the vulnerability affects other users beyond the attacker. The impact on confidentiality, integrity, and availability is high due to potential full account compromise and subsequent unauthorized actions. No known exploits are reported in the wild yet, but the vulnerability is publicly disclosed and patched in version 1.11.34. Organizations running affected versions should prioritize patching and consider additional input validation and output encoding controls to mitigate risk.

This vulnerability poses a significant risk to organizations using Chamilo LMS, especially educational institutions and enterprises relying on this platform for training and learning management. Successful exploitation can lead to account takeover of administrators or other privileged users, compromising the entire LMS environment. Attackers could manipulate course content, access sensitive user data, or disrupt LMS operations. The breach of administrator accounts can facilitate further lateral movement or persistent access within the organization’s IT infrastructure. Given the critical CVSS score, the impact on confidentiality (session hijacking), integrity (unauthorized content modification), and availability (potential disruption) is severe. The requirement for only low privileges to inject malicious code broadens the attack surface, increasing the likelihood of exploitation. Although no active exploits are reported, the public disclosure and critical nature make this a high-priority threat for all Chamilo LMS users worldwide.

1. Immediately upgrade Chamilo LMS installations to version 1.11.34 or later, where the vulnerability is patched. 2. Implement strict input validation and output encoding on all user-supplied data fields, especially those accessible by low-privileged users, to prevent injection of executable scripts. 3. Restrict the ability of low-privileged users to input HTML or JavaScript content in course settings or other fields that render in other users' browsers. 4. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the LMS web application. 5. Monitor LMS logs for unusual activity or access patterns indicative of exploitation attempts. 6. Educate administrators and users about the risks of XSS and encourage cautious behavior when interacting with LMS content. 7. Conduct regular security assessments and penetration testing focused on web application vulnerabilities in the LMS environment. 8. If immediate patching is not feasible, consider temporarily disabling or restricting the affected course learning path Settings field to prevent malicious input.