Chamilo LMS, a widely used open-source learning management system, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-59543. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically in the course description field. Attackers with low-level privileges, such as trainers, can inject malicious JavaScript code into this field. When other users, including administrators, access the affected course page, the malicious script executes within their browser context. This execution can lead to theft of sensitive session cookies or authentication tokens, enabling attackers to hijack accounts with elevated privileges. The vulnerability affects all Chamilo LMS versions prior to 1.11.34 and has been patched in that release. The CVSS v3.1 base score of 9.1 indicates critical severity, with network attack vector, low attack complexity, requiring privileges but user interaction, and impacting confidentiality, integrity, and availability with scope change. Although no known exploits have been reported in the wild yet, the ease of exploitation and high impact make this a significant threat. The vulnerability emphasizes the need for robust input validation and output encoding in web applications, especially those handling user-generated content in multi-privileged environments like LMS platforms.

The impact of CVE-2025-59543 is severe for organizations using Chamilo LMS versions prior to 1.11.34. Successful exploitation allows attackers to perform account takeover (ATO) of privileged users, including administrators, by stealing session cookies or tokens. This can lead to unauthorized access to sensitive educational data, modification or deletion of course content, disruption of LMS services, and potential lateral movement within the organization’s network. The compromise of administrator accounts can further escalate risks by allowing attackers to create or modify user accounts, alter system configurations, or deploy additional malicious payloads. Educational institutions, corporate training environments, and any organizations relying on Chamilo LMS for critical training or compliance programs face significant confidentiality, integrity, and availability risks. The vulnerability’s low attack complexity and requirement for only low-privileged access increase the likelihood of exploitation, especially in environments with many users and trainers. The absence of known exploits in the wild currently provides a window for proactive mitigation, but the critical nature demands urgent patching and monitoring.

Organizations should immediately upgrade Chamilo LMS to version 1.11.34 or later, where this vulnerability is patched. Until the upgrade can be applied, administrators should restrict the ability to edit course descriptions to only highly trusted users and implement strict input validation and output encoding on user-generated content fields. Employing web application firewalls (WAFs) with rules targeting XSS payloads can provide temporary protection. Regularly audit LMS user roles and permissions to minimize low-privileged users’ ability to inject content. Enable Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers accessing the LMS. Monitor logs for unusual activity, such as unexpected administrative logins or anomalous HTTP requests containing suspicious scripts. Educate users, especially administrators, about the risks of clicking on untrusted links or viewing unverified course content. Finally, maintain an incident response plan to quickly address any detected compromise resulting from this vulnerability.