CVE-2025-59542
Stored XSS in Chamilo Learning Path Enables Admin Account Takeover
Publication date: 2026-03-06
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.34 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59542 is a critical stored cross-site scripting (XSS) vulnerability in Chamilo LMS versions 1.11.32 and earlier. It exists in the Course Management component, specifically in the Course β Learning Path Settings field. An attacker with a low-privileged account, such as a trainer, can inject malicious JavaScript code into this field.
When other users, including administrators, view the affected course information page, the injected script executes in their browser context. This allows the attacker to steal sensitive session cookies or tokens, leading to account takeover (ATO) of higher-privileged users.
The vulnerability enables privilege escalation from trainer to administrator and can result in further compromise of the LMS instance, including unauthorized access to user data, courses, and system configurations. This issue was patched in Chamilo LMS version 1.11.34.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including session hijacking and account takeover of higher-privileged users such as administrators.
An attacker can escalate privileges from a low-privileged user (trainer) to an administrator, potentially gaining full control over the Chamilo LMS environment.
This can lead to unauthorized access to sensitive user data, courses, and system configurations, as well as possible disruption of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for malicious JavaScript code injected into the Course β Learning Path Settings field within Chamilo LMS versions 1.11.32 and earlier.
Since the vulnerability is a stored cross-site scripting (XSS) issue, you can inspect the database or exported course settings for suspicious script tags or JavaScript code in the Learning Path Settings field.
There are no specific commands provided in the resources, but general approaches include:
- Querying the database for entries in the Learning Path Settings field containing <script> tags or suspicious JavaScript code.
- Using web application security scanners or XSS detection tools against the course information pages to identify execution of injected scripts.
- Monitoring HTTP traffic for unusual JavaScript payloads or suspicious requests when users access course pages.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade Chamilo LMS to version 1.11.34 or later, where this stored XSS vulnerability has been patched.
Until the upgrade can be performed, restrict low-privileged users (such as trainers) from accessing or modifying the Course β Learning Path Settings field to prevent injection of malicious scripts.
Additionally, monitor user activity for suspicious behavior and consider applying web application firewall (WAF) rules to block or sanitize malicious JavaScript payloads targeting the vulnerable fields.