Chamilo LMS, a widely used open-source learning management system, suffers from a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-59543. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), specifically within the course description field. Attackers with low-privileged accounts, such as trainers, can inject arbitrary JavaScript code into this field. When other users, including administrators, access the course information page, the malicious script executes in their browsers. This execution context allows attackers to steal sensitive session cookies or authentication tokens, leading to account takeover (ATO) of higher-privileged users. The vulnerability is remotely exploitable over the network without complex attack conditions, requiring only that the victim views the compromised page (user interaction required). The CVSS v3.1 base score is 9.1, reflecting critical severity due to high impact on confidentiality, integrity, and availability, combined with low attack complexity and low privileges required. The flaw affects all Chamilo LMS versions prior to 1.11.34, where it has been patched. No known exploits in the wild have been reported yet, but the risk remains significant due to the nature of stored XSS and the potential for privilege escalation within educational environments.

The impact of CVE-2025-59543 is severe for organizations using vulnerable Chamilo LMS versions. Successful exploitation can lead to account takeover of administrative or other high-privileged users, compromising the entire LMS environment. This can result in unauthorized access to sensitive educational data, manipulation or deletion of course content, disruption of learning activities, and potential exposure of personal information of students and staff. The breach of administrative accounts could also facilitate further lateral movement within an organization's network. Educational institutions, training providers, and any organizations relying on Chamilo LMS for critical learning functions face risks to operational continuity and data confidentiality. The vulnerability undermines trust in the platform and could lead to reputational damage and regulatory consequences if personal data is exposed.

Organizations should immediately upgrade Chamilo LMS to version 1.11.34 or later, where the vulnerability is patched. In addition to patching, implement strict input validation and output encoding on all user-supplied content fields to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Limit the privileges of user roles that can edit course descriptions, and monitor logs for unusual activity related to course content changes. Conduct regular security audits and penetration testing focused on web application vulnerabilities. Educate users, especially administrators, about the risks of XSS and encourage cautious behavior when interacting with LMS content. Consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads targeting Chamilo LMS. Finally, maintain an incident response plan to quickly address any suspected exploitation.