CVE-2025-59540
Stored XSS in Chamilo LMS Allows Admin Session Hijacking
Publication date: 2026-03-06
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.34 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59540 is a stored Cross-Site Scripting (XSS) vulnerability in Chamilo LMS versions up to and including 1.11.32, specifically affecting the exercise feedback feature.
This vulnerability allows a staff-level user to inject arbitrary JavaScript code into the feedback field on the exercise history page. The injected script is stored persistently in the database and executes in the browsers of higher-privileged admin users when they view the exercise history.
The root cause is insufficient output encoding of the feedback input before rendering, allowing malicious scripts to persist and execute. This issue requires only low privileges (staff account) and no user interaction beyond viewing the feedback by an admin.
How can this vulnerability impact me? :
The vulnerability can lead to execution of arbitrary JavaScript in the browsers of admin users, potentially resulting in session cookie theft and privilege escalation from staff to admin.
This means an attacker with a staff account could gain full administrative control over the Chamilo LMS system.
The attack complexity is low, and it can be exploited remotely over the network without any user interaction other than the admin viewing the malicious feedback.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves stored Cross-Site Scripting (XSS) in the feedback input on the exercise history page of Chamilo LMS. Detection involves identifying malicious JavaScript code injected into the feedback fields stored in the database.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability, you can inspect the feedback entries in the database for suspicious script tags or JavaScript code. Additionally, monitoring HTTP responses for unencoded or unsanitized feedback content when admin users access the exercise history page can help identify exploitation attempts.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but example approaches include:'}, {'type': 'list_item', 'content': "Query the database for feedback fields containing script tags or suspicious HTML, e.g., using SQL: SELECT * FROM feedback_table WHERE feedback LIKE '%<script>%';"}, {'type': 'list_item', 'content': 'Use web application scanning tools that detect stored XSS vulnerabilities by submitting payloads and observing if they execute in admin browsers.'}, {'type': 'list_item', 'content': 'Monitor web server logs for unusual requests or payloads targeting the exercise history feedback input.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Chamilo LMS to version 1.11.34 or later, where this stored XSS vulnerability has been patched.
Until the upgrade can be applied, consider restricting staff user permissions to limit who can submit feedback, and avoid having higher-privileged admin users view exercise history pages containing untrusted feedback.
Additionally, implement input validation and output encoding on feedback fields to prevent script injection and execution.
Review and harden session management and access controls as described in the 1.11.34 release notes to reduce risk.