CVE-2025-52475
Reflected XSS in Chamilo admin/user_list.php Before
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52475 is a reflected cross-site scripting (XSS) vulnerability in the Chamilo learning management system affecting versions up to 1.11.28. It occurs in the admin/user_list.php endpoint where the keyword_inactive parameter is not properly sanitized. This improper input handling allows attackers to inject malicious JavaScript code through a specially crafted URL.
When a victim visits the malicious URL and performs a specific key combination (ALT+SHIFT+X on Windows/Linux or CTRL+ALT+X on macOS), the injected script is executed in their browser. This vulnerability is classified as moderate severity and relates to weaknesses in neutralizing script-related HTML tags and alternate XSS syntax.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can allow attackers to execute malicious JavaScript in the context of the victim's browser when they visit a crafted URL and trigger the script. This can lead to unauthorized actions such as stealing session cookies, performing actions on behalf of the user, or redirecting the user to malicious sites."}, {'type': 'paragraph', 'content': 'Because the attack requires user interaction (pressing specific key combinations), the risk is somewhat reduced but still significant, especially for administrative users who have elevated privileges.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the admin/user_list.php endpoint for reflected cross-site scripting (XSS) via the keyword_inactive parameter.'}, {'type': 'paragraph', 'content': 'One way to detect it is by crafting a URL similar to the example exploit URL and observing if the injected JavaScript executes when triggered.'}, {'type': 'paragraph', 'content': 'Example URL to test: http://cham/main/admin/user_list.php?keyword_firstname=Joe&keyword_lastname=&keyword_username=&keyword_email=&keyword_officialcode=&keyword_status=%25&keyword_active=1&keyword_inactive=1"accesskey="x"onclick="alert(1)"//&submit=&_qf__advanced_search=&item_id=0'}, {'type': 'paragraph', 'content': 'To trigger the malicious script in a browser, the victim needs to press ALT+SHIFT+X on Windows/Linux or CTRL+ALT+X on macOS.'}, {'type': 'paragraph', 'content': 'Network or system administrators can monitor HTTP requests to the admin/user_list.php endpoint and look for suspicious keyword_inactive parameter values containing script-like payloads.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Chamilo LMS to version 1.11.30 or later, where this vulnerability has been patched.
Until the upgrade can be performed, restrict access to the admin/user_list.php endpoint to trusted users only.
Additionally, implement input validation or web application firewall (WAF) rules to block requests with suspicious keyword_inactive parameter values containing script injection attempts.