CVE-2025-52563
Reflected XSS in Chamilo add_users_to_session.php Endpoint
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.30 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-87 | The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2025-52563 is a reflected cross-site scripting (XSS) vulnerability in Chamilo LMS versions up to 1.11.28. It occurs because the application does not properly sanitize the "page" parameter in the session/add_users_to_session.php endpoint. This allows attackers to inject malicious scripts by including special characters like <, >, and & in the input.'}, {'type': 'paragraph', 'content': 'When a user interacts with the crafted element (for example, by moving the mouse over it), the injected script executes, potentially leading to unauthorized actions or data exposure. This vulnerability is classified under CWE-80 and CWE-87, indicating improper neutralization of script-related HTML tags and alternate XSS syntax.'}, {'type': 'paragraph', 'content': 'The issue was fixed in Chamilo version 1.11.30.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This reflected XSS vulnerability can allow attackers to execute malicious scripts in the context of a user's browser session. Potential impacts include theft of session cookies, defacement of web pages, redirection to malicious sites, or performing actions on behalf of the user without their consent."}, {'type': 'paragraph', 'content': 'Since the attack requires user interaction (such as moving the mouse over a crafted element), it relies on social engineering to trigger the exploit.'}, {'type': 'paragraph', 'content': 'Overall, this can lead to compromised user accounts, loss of data integrity, and reduced trust in the affected application.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the 'page' parameter in the endpoint session/add_users_to_session.php for reflected cross-site scripting (XSS). Specifically, you can attempt to inject special characters such as <, >, and & or JavaScript event handlers like onmouseover to see if they are improperly sanitized and reflected in the response."}, {'type': 'paragraph', 'content': 'A common approach is to use tools like curl or wget to send crafted HTTP requests and observe the response for unsanitized script injections.'}, {'type': 'list_item', 'content': "Example curl command to test the vulnerability: curl -i 'http://your-chamilo-site/session/add_users_to_session.php?page=<script>alert(1)</script>'"}, {'type': 'list_item', 'content': "Alternatively, use a web proxy tool like Burp Suite or OWASP ZAP to intercept and modify requests to inject XSS payloads in the 'page' parameter and observe if the payload is reflected unsanitized."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Chamilo LMS to version 1.11.30 or later, where this reflected XSS vulnerability has been patched.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, consider implementing web application firewall (WAF) rules to block or sanitize requests containing suspicious script tags or event handlers in the 'page' parameter."}, {'type': 'paragraph', 'content': 'Additionally, educate users to avoid clicking on suspicious links that might exploit this vulnerability, as the XSS requires user interaction to execute.'}] [1]