CVE-2025-55208
Stored XSS in Chamilo Social Networks Enables Admin Takeover
Publication date: 2026-03-05
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.34 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2025-55208 is a critical Stored Cross-Site Scripting (XSS) vulnerability in Chamilo LMS versions up to 1.11.32, specifically in the social networks' file upload feature."}, {'type': 'paragraph', 'content': 'A low-privilege user can upload malicious files containing arbitrary JavaScript code. This code is stored and later executed in the context of authenticated users, including administrators, when they view the infected content in their inbox or social network interface.'}, {'type': 'paragraph', 'content': 'This allows attackers to execute arbitrary scripts within the LMS environment, potentially leading to full account takeover through session hijacking, unauthorized actions with the victimβs privileges, data theft, and spreading the attack to other users.'}, {'type': 'paragraph', 'content': 'The root cause is improper input sanitization (CWE-79), where user input is not properly neutralized before being included in web pages.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Full takeover of administrator accounts via session hijacking.
- Execution of unauthorized actions with the privileges of the compromised admin.
- Exfiltration of sensitive data stored within the LMS.
- Potential self-propagation of the attack to other users, increasing the scope of compromise.
Overall, it compromises the confidentiality, integrity, and availability of the LMS system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying attempts to upload malicious files containing JavaScript code through the Social Networks file upload functionality in Chamilo LMS versions prior to 1.11.34.'}, {'type': 'paragraph', 'content': 'You can monitor web server logs for suspicious file upload requests or payloads containing script tags or JavaScript code.'}, {'type': 'paragraph', 'content': 'Additionally, inspecting the inbox or social network interface for unexpected or suspicious content that could execute scripts may help detect exploitation.'}, {'type': 'list_item', 'content': "Use web server log analysis tools or commands such as `grep` to search for suspicious upload requests, e.g., `grep -i '<script' /var/log/apache2/access.log`."}, {'type': 'list_item', 'content': 'Use network monitoring tools to detect unusual HTTP POST requests to the file upload endpoints.'}, {'type': 'list_item', 'content': 'Manually review uploaded files or database entries related to social network uploads for embedded JavaScript.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade Chamilo LMS to version 1.11.34 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, restrict or disable the Social Networks file upload functionality to prevent malicious file uploads.
Additionally, review and remove any suspicious or untrusted uploaded files that could contain malicious scripts.
Implement monitoring and alerting on file uploads and user inbox content to detect potential exploitation attempts.