CVE-2025-59542

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-59542
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34.

9.0 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References
Link Resource
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34 Product Release Notes
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-pxrh-3rcp-h7m6 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
History

09 Mar 2026, 17:31

Type Values Removed Values Added
CPE cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*
References () https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34 - () https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34 - Product, Release Notes
References () https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-pxrh-3rcp-h7m6 - () https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-pxrh-3rcp-h7m6 - Vendor Advisory
First Time Chamilo chamilo Lms
Chamilo

09 Mar 2026, 13:36

Type Values Removed Values Added
Summary
  • (es) Chamilo es un sistema de gestión del aprendizaje. Antes de la versión 1.11.34, existe una vulnerabilidad de cross-site scripting (XSS) almacenado. Al inyectar JavaScript malicioso en el campo Settings de la ruta de aprendizaje del curso, un atacante con una cuenta de bajo privilegio (por ejemplo, instructor) puede ejecutar código JavaScript arbitrario en el contexto de cualquier otro usuario que vea la página de información del curso, incluidos los administradores. Esto permite a un atacante exfiltrar cookies o tokens de sesión sensibles, lo que resulta en la toma de control de cuentas (ATO) de usuarios con mayores privilegios. Este problema ha sido parcheado en la versión 1.11.34.

06 Mar 2026, 04:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-06 04:16

Updated : 2026-03-09 17:31

NVD link : CVE-2025-59542

Mitre link : CVE-2025-59542

CVE.ORG link : CVE-2025-59542

JSON object : View

Products Affected

chamilo

  • chamilo_lms
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')