CVE-2025-52482
Received Received - Intake
Stored XSS in Chamilo Glossary Allows Teacher-Level Code Injection

Publication date: 2026-03-02

Last updated on: 2026-03-03

Assigner: GitHub, Inc.

Description
Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. This issue has been patched in version 1.11.30.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-52482
EUVD
EUVD-2025-208167
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
chamilo chamilo_lms to 1.11.30 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-52482 is a Stored Cross-Site Scripting (XSS) vulnerability in the Chamilo learning management system, specifically in the glossary function. It allows users with the Teacher role to inject malicious JavaScript code into glossary terms. This malicious code is stored in the system and executed later when an administrator views the course logs, enabling the attacker to run scripts in the administrator's browser."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because glossary term titles are stored as HTML without proper sanitization or encoding, allowing JavaScript event handler attributes (such as onclick) to be injected and executed. The issue was fixed by implementing filters that remove all "on*" event handler attributes from user inputs, preventing the injection of malicious scripts.'}] [3, 1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can have serious impacts including unauthorized execution of malicious scripts in the context of an administrator's browser. This can lead to compromise of administrator accounts, theft of sensitive information, manipulation of administrative functions, and potential further exploitation of the system."}, {'type': 'paragraph', 'content': 'Because the attack requires a user with Teacher privileges to inject the malicious code and an administrator to view the affected logs, it involves high privileges and user interaction, but the attack complexity is low and it can be exploited remotely over the network.'}, {'type': 'paragraph', 'content': 'The CVSS v3.1 base score of 8.3 reflects a high severity with significant impact on confidentiality, integrity, and availability.'}] [3]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability CVE-2025-52482 is a Stored Cross-Site Scripting (XSS) issue in the Chamilo LMS glossary function, exploitable by users with the Teacher role injecting malicious JavaScript into glossary terms.'}, {'type': 'paragraph', 'content': 'Detection involves checking for glossary entries containing unsafe "on*" HTML attributes (such as onclick, onmouseover) or embedded JavaScript in the term titles stored in the database.'}, {'type': 'paragraph', 'content': 'You can detect potentially malicious glossary terms by querying the database for glossary entries containing suspicious patterns like event handler attributes or script tags.'}, {'type': 'list_item', 'content': "Example SQL command to find glossary terms with 'on' event attributes or script tags: SELECT glossary_id, term FROM glossary WHERE term REGEXP '(on\\w+\\s*=|<script)';"}, {'type': 'list_item', 'content': "Alternatively, search for suspicious JavaScript payloads in glossary terms using grep on database dumps or logs: grep -iE 'on\\w+\\s*=|<script' glossary_dump.sql"}, {'type': 'paragraph', 'content': "Monitoring HTTP POST requests to the glossary edit endpoint (/main/glossary/index.php?action=edit_glossary) for suspicious input containing 'on*' attributes or script tags can also help detect exploitation attempts."}] [3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch removes all unsafe "on*" event handler attributes from user input fields by applying a filter that sanitizes and strips these attributes from HTML inputs.'}, {'type': 'list_item', 'content': "Apply the security update that introduces the 'attr_on_filter' in the FormValidator class to sanitize input fields."}, {'type': 'list_item', 'content': "Ensure the HTML Purifier component includes the custom 'RemoveOnAttributes' filter to remove all 'on*' event handler attributes from user-submitted HTML."}, {'type': 'paragraph', 'content': 'Additionally, avoid using inline JavaScript event handlers for UI elements related to glossary entries, replacing them with safer modal dialogs for actions like deletion confirmation.'}, {'type': 'paragraph', 'content': 'Restrict the Teacher role permissions if possible, and monitor for suspicious glossary term edits until the patch is applied.'}] [1, 2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-52482. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart