Executive Summary

CVE-2025-59540 is a stored Cross-Site Scripting (XSS) vulnerability in Chamilo LMS versions up to and including 1.11.32, specifically affecting the exercise feedback feature.

This vulnerability allows a staff-level user to inject arbitrary JavaScript code into the feedback field on the exercise history page. The injected script is stored persistently in the database and executes in the browsers of higher-privileged admin users when they view the exercise history.

The root cause is insufficient output encoding of the feedback input before rendering, allowing malicious scripts to persist and execute. This issue requires only low privileges (staff account) and no user interaction beyond viewing the feedback by an admin.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can lead to execution of arbitrary JavaScript in the browsers of admin users, potentially resulting in session cookie theft and privilege escalation from staff to admin.

This means an attacker with a staff account could gain full administrative control over the Chamilo LMS system.

The attack complexity is low, and it can be exploited remotely over the network without any user interaction other than the admin viewing the malicious feedback.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves stored Cross-Site Scripting (XSS) in the feedback input on the exercise history page of Chamilo LMS. Detection involves identifying malicious JavaScript code injected into the feedback fields stored in the database.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability, you can inspect the feedback entries in the database for suspicious script tags or JavaScript code. Additionally, monitoring HTTP responses for unencoded or unsanitized feedback content when admin users access the exercise history page can help identify exploitation attempts.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but example approaches include:'}, {'type': 'list_item', 'content': "Query the database for feedback fields containing script tags or suspicious HTML, e.g., using SQL: SELECT * FROM feedback_table WHERE feedback LIKE '%<script>%';"}, {'type': 'list_item', 'content': 'Use web application scanning tools that detect stored XSS vulnerabilities by submitting payloads and observing if they execute in admin browsers.'}, {'type': 'list_item', 'content': 'Monitor web server logs for unusual requests or payloads targeting the exercise history feedback input.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Chamilo LMS to version 1.11.34 or later, where this stored XSS vulnerability has been patched.

Until the upgrade can be applied, consider restricting staff user permissions to limit who can submit feedback, and avoid having higher-privileged admin users view exercise history pages containing untrusted feedback.

Additionally, implement input validation and output encoding on feedback fields to prevent script injection and execution.

Review and harden session management and access controls as described in the 1.11.34 release notes to reduce risk.

Useful 0 Not Useful 0