CVE-2025-52482
Stored XSS in Chamilo Glossary Allows Teacher-Level Code Injection
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-52482 is a Stored Cross-Site Scripting (XSS) vulnerability in the Chamilo learning management system, specifically in the glossary function. It allows users with the Teacher role to inject malicious JavaScript code into glossary terms. This malicious code is stored in the system and executed later when an administrator views the course logs, enabling the attacker to run scripts in the administrator's browser."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because glossary term titles are stored as HTML without proper sanitization or encoding, allowing JavaScript event handler attributes (such as onclick) to be injected and executed. The issue was fixed by implementing filters that remove all "on*" event handler attributes from user inputs, preventing the injection of malicious scripts.'}] [3, 1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can have serious impacts including unauthorized execution of malicious scripts in the context of an administrator's browser. This can lead to compromise of administrator accounts, theft of sensitive information, manipulation of administrative functions, and potential further exploitation of the system."}, {'type': 'paragraph', 'content': 'Because the attack requires a user with Teacher privileges to inject the malicious code and an administrator to view the affected logs, it involves high privileges and user interaction, but the attack complexity is low and it can be exploited remotely over the network.'}, {'type': 'paragraph', 'content': 'The CVSS v3.1 base score of 8.3 reflects a high severity with significant impact on confidentiality, integrity, and availability.'}] [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability CVE-2025-52482 is a Stored Cross-Site Scripting (XSS) issue in the Chamilo LMS glossary function, exploitable by users with the Teacher role injecting malicious JavaScript into glossary terms.'}, {'type': 'paragraph', 'content': 'Detection involves checking for glossary entries containing unsafe "on*" HTML attributes (such as onclick, onmouseover) or embedded JavaScript in the term titles stored in the database.'}, {'type': 'paragraph', 'content': 'You can detect potentially malicious glossary terms by querying the database for glossary entries containing suspicious patterns like event handler attributes or script tags.'}, {'type': 'list_item', 'content': "Example SQL command to find glossary terms with 'on' event attributes or script tags: SELECT glossary_id, term FROM glossary WHERE term REGEXP '(on\\w+\\s*=|<script)';"}, {'type': 'list_item', 'content': "Alternatively, search for suspicious JavaScript payloads in glossary terms using grep on database dumps or logs: grep -iE 'on\\w+\\s*=|<script' glossary_dump.sql"}, {'type': 'paragraph', 'content': "Monitoring HTTP POST requests to the glossary edit endpoint (/main/glossary/index.php?action=edit_glossary) for suspicious input containing 'on*' attributes or script tags can also help detect exploitation attempts."}] [3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Chamilo LMS to version 1.11.30 or later, where the vulnerability has been patched.'}, {'type': 'paragraph', 'content': 'The patch removes all unsafe "on*" event handler attributes from user input fields by applying a filter that sanitizes and strips these attributes from HTML inputs.'}, {'type': 'list_item', 'content': "Apply the security update that introduces the 'attr_on_filter' in the FormValidator class to sanitize input fields."}, {'type': 'list_item', 'content': "Ensure the HTML Purifier component includes the custom 'RemoveOnAttributes' filter to remove all 'on*' event handler attributes from user-submitted HTML."}, {'type': 'paragraph', 'content': 'Additionally, avoid using inline JavaScript event handlers for UI elements related to glossary entries, replacing them with safer modal dialogs for actions like deletion confirmation.'}, {'type': 'paragraph', 'content': 'Restrict the Teacher role permissions if possible, and monitor for suspicious glossary term edits until the patch is applied.'}] [1, 2, 4]