Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-52470 is a stored Cross-Site Scripting (XSS) vulnerability in the Chamilo learning management system prior to version 1.11.30. It exists in the session_category_add.php script due to improper sanitization of the Category Name input field. Privileged users, such as administrators, can inject persistent malicious JavaScript code into this field. This injected script is stored in the database and later executed when accessing the add_many_sessions_to_category.php page, potentially compromising administrative sessions.'}, {'type': 'paragraph', 'content': "The vulnerability arises because the input is not properly sanitized before storage and rendering, allowing attackers with admin privileges to insert scripts that run in other admins' browsers. The issue has been fixed in version 1.11.30 by implementing layered input and output sanitization techniques."}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers with administrative privileges to inject malicious scripts that execute in the browsers of other administrators. This can lead to session hijacking, unauthorized data access, and execution of unauthorized actions within the Chamilo LMS.

• Hijacking of administrative sessions.
• Exfiltration of sensitive data accessible to administrators.
• Execution of unauthorized administrative actions.
• Potential escalation of attacks within environments with multiple administrators.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the Category Name field in the Chamilo LMS database, particularly in session categories created or edited via session_category_add.php.'}, {'type': 'paragraph', 'content': 'One approach is to query the database for suspicious script tags or event handler attributes (e.g., onerror, onclick) in the category names stored in the relevant tables.'}, {'type': 'paragraph', 'content': 'For example, you can run SQL commands to search for suspicious patterns in the category name fields, such as:'}, {'type': 'list_item', 'content': "SELECT * FROM session_categories WHERE category_name LIKE '%<script>%';"}, {'type': 'list_item', 'content': "SELECT * FROM session_categories WHERE category_name LIKE '%onerror=%' OR category_name LIKE '%onclick=%';"}, {'type': 'paragraph', 'content': 'Additionally, monitoring HTTP requests to the add_many_sessions_to_category.php page for unexpected script execution or unusual admin session behavior can help detect exploitation attempts.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Chamilo LMS to version 1.11.30 or later, where this vulnerability has been patched.

The patch includes proper sanitization and filtering of the Category Name input field to prevent injection of malicious scripts.

If upgrading immediately is not possible, restrict administrative privileges to trusted users only, as the vulnerability requires high privileges to exploit.

Also, review and sanitize existing session category names in the database to remove any malicious scripts.

Implement monitoring for suspicious activity on the add_many_sessions_to_category.php page and consider applying web application firewall (WAF) rules to block common XSS payloads targeting this functionality.

Useful 0 Not Useful 0