CVE-2025-52468
Received Received - Intake
Stored XSS in Chamilo User Import Allows Script Execution

Publication date: 2026-03-02

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows attackers to inject a stored cross-site scripting (XSS) payload that is triggered when the user profile is viewed, potentially leading to malicious script execution in the context of the authenticated use. This issue has been patched in version 1.11.30.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-52468
EUVD
EUVD-2025-208173
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chamilo chamilo_lms to 1.11.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-52468 is a high-severity stored cross-site scripting (XSS) vulnerability in the Chamilo learning management system versions up to 1.11.28. It occurs due to insufficient input validation and sanitization of user data imported via CSV files, specifically in the "Last Name," "First Name," and "Username" fields.'}, {'type': 'paragraph', 'content': "Attackers can embed malicious JavaScript payloads within these fields during CSV import. These payloads are stored in the database and execute when an authenticated user views the compromised user profile, allowing malicious scripts to run in the context of that user's session."}, {'type': 'paragraph', 'content': 'This can lead to session hijacking, data theft, or other malicious actions. The vulnerability can also be exploited by unauthenticated users through the "Who is Online" page if a malicious user is online. The issue was patched in Chamilo version 1.11.30.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts including the execution of malicious scripts in the context of authenticated users, which may lead to session hijacking, theft of sensitive data, and unauthorized actions within the Chamilo LMS.'}, {'type': 'paragraph', 'content': 'Because the attack vector is network-based and requires no privileges, an attacker can exploit this by importing a malicious CSV file and then tricking users into viewing infected profiles.'}, {'type': 'paragraph', 'content': 'Additionally, unauthenticated users can exploit the vulnerability via the "Who is Online" page if a malicious user is online, broadening the attack surface and increasing risk.'}, {'type': 'paragraph', 'content': 'Overall, this can compromise confidentiality, integrity, and availability of the system, potentially disrupting learning activities and exposing user data.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of malicious JavaScript payloads embedded in user data fields such as "Last Name," "First Name," and "Username" that were imported via CSV files.'}, {'type': 'paragraph', 'content': 'One practical approach is to review imported user data for suspicious script tags or encoded JavaScript payloads.'}, {'type': 'paragraph', 'content': 'Since the vulnerability triggers when viewing user profiles, monitoring HTTP requests to user profile pages for unusual script execution or unexpected payloads can help detect exploitation.'}, {'type': 'paragraph', 'content': 'Commands to assist detection might include searching the database or exported CSV files for typical XSS patterns such as <script> tags or event handlers.'}, {'type': 'list_item', 'content': "Use grep or similar tools to scan CSV files or database exports for suspicious strings, e.g.: grep -iE '<script|onerror|onload|javascript:' users.csv"}, {'type': 'list_item', 'content': "Query the database for user fields containing script tags or suspicious payloads, for example in SQL: SELECT id, username, firstname, lastname FROM users WHERE firstname LIKE '%<script%' OR lastname LIKE '%<script%' OR username LIKE '%<script%';"}, {'type': 'paragraph', 'content': 'Additionally, monitoring web server logs for unusual requests to whoisonline.php or user profile pages that might indicate attempts to trigger the XSS payload can be useful.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary immediate mitigation step is to upgrade Chamilo LMS to version 1.11.30 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, avoid importing user data via CSV files until the patch can be applied.'}, {'type': 'paragraph', 'content': 'Review and sanitize any existing user data imported from CSV files to remove potential malicious scripts from the "Last Name," "First Name," and "Username" fields.'}, {'type': 'paragraph', 'content': 'Limit access to the user import functionality to trusted administrators only.'}, {'type': 'paragraph', 'content': 'Monitor user profiles and the "Who is Online" page for suspicious activity or unexpected script execution.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-52468. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart