Chamilo is a learning management system. Prior to version 1.11.30, a stored cross-site scripting (XSS) vulnerability exists in the session_category_add.php script. The vulnerability is caused by improper sanitization of the Category Name field, allowing privileged users to inject persistent JavaScript payloads. The injected script is later executed when accessing add_many_sessions_to_category.php, potentially compromising administrative sessions. This issue has been patched in version 1.11.30.
References
| Link | Resource |
|---|---|
| https://github.com/chamilo/chamilo-lms/commit/ead79db4eb034b8c11a3d6036759d083de37530c | Patch |
| https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30 | Product Release Notes |
| https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-p4m6-gwhg-x89f | Exploit Vendor Advisory |
Configurations
History
03 Mar 2026, 18:23
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Chamilo chamilo Lms
Chamilo |
|
| References | () https://github.com/chamilo/chamilo-lms/commit/ead79db4eb034b8c11a3d6036759d083de37530c - Patch | |
| References | () https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30 - Product, Release Notes | |
| References | () https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-p4m6-gwhg-x89f - Exploit, Vendor Advisory | |
| CPE | cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:* |
02 Mar 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-02 16:16
Updated : 2026-03-03 18:23
NVD link : CVE-2025-52470
Mitre link : CVE-2025-52470
CVE.ORG link : CVE-2025-52470
JSON object : View
Products Affected
chamilo
- chamilo_lms
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')