CVE-2025-52476
Reflected XSS in Chamilo admin/user_list.php Before
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-52476 is a reflected cross-site scripting (XSS) vulnerability in Chamilo LMS versions up to and including 1.11.28. It occurs because the application does not properly sanitize the user-supplied input passed via the keyword_active parameter in the admin/user_list.php script.'}, {'type': 'paragraph', 'content': "This improper sanitization allows an attacker to inject malicious script code into the web page, which can then be executed in the context of the victim's browser."}, {'type': 'paragraph', 'content': 'The attack requires user interaction, where the victim must press specific key combinations (ALT+SHIFT+X on Windows/Linux or CTRL+ALT+X on macOS) to trigger the injected script.'}, {'type': 'paragraph', 'content': 'The vulnerability is due to failure to neutralize special characters and alternate scripting syntax, classified under CWE-80 and CWE-87.'}, {'type': 'paragraph', 'content': 'This issue was fixed in Chamilo LMS version 1.11.30.'}] [2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary scripts in the context of the affected web application when a user interacts with a specially crafted URL.
Such script execution can lead to theft of user session data, defacement of the website, or redirection to malicious sites.
Because the attack requires user interaction (pressing specific key combinations), the risk is somewhat mitigated but still significant.
Overall, it poses a moderate security risk that could compromise user data and trust in the application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the `keyword_active` parameter in the `admin/user_list.php` page of Chamilo LMS for reflected cross-site scripting (XSS). Specifically, you can attempt to inject script code or HTML attributes into this parameter and observe if the input is improperly sanitized and reflected back in the response.'}, {'type': 'paragraph', 'content': 'A practical detection method is to craft a URL with a payload in the `keyword_active` parameter that includes an event handler, such as an `onclick` attribute triggering an alert, and then visit that URL in a browser to see if the script executes.'}, {'type': 'paragraph', 'content': 'Example of a test URL pattern (replace `your-chamilo-url` accordingly):'}, {'type': 'list_item', 'content': 'https://your-chamilo-url/admin/user_list.php?keyword_active=%22%20accesskey%3D%22x%22%20onclick%3D%22alert(1)%22'}, {'type': 'paragraph', 'content': 'To detect this on your system or network, you can use command-line tools like curl or wget to fetch the page with the injected payload and inspect the response for the presence of the injected script or attribute.'}, {'type': 'list_item', 'content': 'curl -i \'https://your-chamilo-url/admin/user_list.php?keyword_active=" accesskey="x" onclick="alert(1)"\''}, {'type': 'list_item', 'content': 'grep or other text processing tools can be used to search for the injected script or attribute in the response.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade Chamilo LMS to version 1.11.30 or later, where this reflected XSS vulnerability has been patched.
If upgrading immediately is not possible, you should restrict access to the affected `admin/user_list.php` page to trusted users only, and consider applying web application firewall (WAF) rules to block suspicious input patterns targeting the `keyword_active` parameter.
Additionally, educating users to avoid interacting with suspicious links that might exploit this vulnerability can reduce risk, since the attack requires user interaction to trigger the malicious script.