CVE-2025-59543
Stored XSS in Chamilo Course Description Enables Admin Account Takeover
Publication date: 2026-03-06
Last updated on: 2026-03-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| chamilo | chamilo_lms | to 1.11.34 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59543 is a critical stored cross-site scripting (XSS) vulnerability in Chamilo LMS versions 1.11.32 and earlier. It occurs in the course description field of the Course Management component, where an attacker with low privileges, such as a trainer, can inject malicious JavaScript code.
When other users, including administrators, view the compromised course description page, the injected script executes in their browser context. This allows the attacker to steal sensitive session cookies or tokens.
The stolen credentials can lead to account takeover (ATO) of higher-privileged users, enabling privilege escalation and further compromise of the LMS system.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to user accounts, especially those with higher privileges like administrators.
An attacker can execute arbitrary JavaScript code in the context of other users, leading to theft of session cookies or tokens.
This can result in account takeover (ATO), allowing the attacker to access sensitive data, modify courses, change system configurations, and potentially compromise the entire LMS instance.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves malicious JavaScript injected into the course description field of Chamilo LMS versions 1.11.32 and earlier. Detection involves inspecting course descriptions for suspicious or unexpected JavaScript code.'}, {'type': 'paragraph', 'content': 'You can detect the vulnerability by reviewing course description fields for embedded scripts or unusual HTML tags. Additionally, monitoring HTTP traffic for suspicious payloads targeting the course description page may help identify exploitation attempts.'}, {'type': 'list_item', 'content': "Use database queries to search for script tags or suspicious JavaScript in the course description field, for example: SELECT * FROM course_descriptions WHERE description LIKE '%<script>%';"}, {'type': 'list_item', 'content': 'Use web application security scanners or tools that detect stored XSS vulnerabilities on the course description pages.'}, {'type': 'list_item', 'content': 'Monitor web server logs for unusual requests or payloads containing JavaScript code targeting course description URLs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Chamilo LMS to version 1.11.34 or later, where this stored XSS vulnerability has been patched.
Until the upgrade can be applied, restrict low-privileged users (such as trainers) from editing course descriptions or sanitize inputs to prevent JavaScript injection.
Additionally, educate users to avoid clicking on suspicious course descriptions and monitor for unusual activity that may indicate exploitation attempts.