Executive Summary

CVE-2025-52475 is a reflected cross-site scripting (XSS) vulnerability in the Chamilo learning management system affecting versions up to 1.11.28. It occurs in the admin/user_list.php endpoint where the keyword_inactive parameter is not properly sanitized. This improper input handling allows attackers to inject malicious JavaScript code through a specially crafted URL.

When a victim visits the malicious URL and performs a specific key combination (ALT+SHIFT+X on Windows/Linux or CTRL+ALT+X on macOS), the injected script is executed in their browser. This vulnerability is classified as moderate severity and relates to weaknesses in neutralizing script-related HTML tags and alternate XSS syntax.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can allow attackers to execute malicious JavaScript in the context of the victim's browser when they visit a crafted URL and trigger the script. This can lead to unauthorized actions such as stealing session cookies, performing actions on behalf of the user, or redirecting the user to malicious sites."}, {'type': 'paragraph', 'content': 'Because the attack requires user interaction (pressing specific key combinations), the risk is somewhat reduced but still significant, especially for administrative users who have elevated privileges.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the admin/user_list.php endpoint for reflected cross-site scripting (XSS) via the keyword_inactive parameter.'}, {'type': 'paragraph', 'content': 'One way to detect it is by crafting a URL similar to the example exploit URL and observing if the injected JavaScript executes when triggered.'}, {'type': 'paragraph', 'content': 'Example URL to test: http://cham/main/admin/user_list.php?keyword_firstname=Joe&keyword_lastname=&keyword_username=&keyword_email=&keyword_officialcode=&keyword_status=%25&keyword_active=1&keyword_inactive=1"accesskey="x"onclick="alert(1)"//&submit=&_qf__advanced_search=&item_id=0'}, {'type': 'paragraph', 'content': 'To trigger the malicious script in a browser, the victim needs to press ALT+SHIFT+X on Windows/Linux or CTRL+ALT+X on macOS.'}, {'type': 'paragraph', 'content': 'Network or system administrators can monitor HTTP requests to the admin/user_list.php endpoint and look for suspicious keyword_inactive parameter values containing script-like payloads.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Chamilo LMS to version 1.11.30 or later, where this vulnerability has been patched.

Until the upgrade can be performed, restrict access to the admin/user_list.php endpoint to trusted users only.

Additionally, implement input validation or web application firewall (WAF) rules to block requests with suspicious keyword_inactive parameter values containing script injection attempts.

Useful 0 Not Useful 0