Executive Summary

CVE-2026-32893 is a Reflected Cross-Site Scripting (XSS) vulnerability in Chamilo LMS versions prior to 2.0.0-RC.3, specifically in the exercise question list admin panel's pagination feature.

The vulnerability occurs because the pagination code merges all HTTP GET parameters and generates pagination links by embedding them directly into HTML href attributes without proper HTML encoding or sanitization of parameter keys.

An attacker can craft malicious GET parameter keys containing special characters and embedded JavaScript, which breaks out of the href attribute context and injects arbitrary JavaScript code.

This allows execution of arbitrary JavaScript in the browser of an authenticated teacher user.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows execution of arbitrary JavaScript in an authenticated teacher's browser, which can lead to session cookie theft, unauthorized grade manipulation, course content modification, and CSRF attacks with teacher privileges.

Such unauthorized access and manipulation of user data and educational records could potentially violate data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access and modification.

Therefore, this vulnerability poses a risk to compliance with these standards by exposing sensitive user data and system integrity to attackers.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows an attacker to execute arbitrary JavaScript in the browser of an authenticated teacher, which can lead to several security impacts.

• Theft of session cookies, potentially allowing account takeover.
• Unauthorized manipulation of grades.
• Modification of course content, including adding, editing, or deleting exercises.
• Enabling Cross-Site Request Forgery (CSRF) attacks with teacher privileges.

Overall, this vulnerability compromises the confidentiality and integrity of the system with moderate severity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting HTTP GET requests to the exercise question list admin panel in Chamilo LMS and checking for suspicious or malformed query parameters that include characters such as double quotes (") or embedded JavaScript code.

Specifically, look for GET parameters with keys containing characters that could break out of HTML href attributes, such as: "><img src=x onerror=alert(1)>x

You can use web server logs or proxy tools to search for such patterns in URLs.

Example commands to detect suspicious requests might include:

• Using grep on web server logs to find suspicious GET parameters: grep -E '"|<script|onerror' access.log
• Using curl to test the vulnerability by sending crafted GET requests: curl -i 'https://your-chamilo-instance/path?exerciseId=1&"%3E%3Cimg%20src=x%20onerror=alert(1)%3E=x=1&page=1'
• Using browser developer tools to inspect the pagination links in the admin panel for unencoded or suspicious query parameters.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Chamilo LMS to version 2.0.0-RC.3 or later, where this vulnerability has been fixed.

The fix involves sanitizing and encoding output in the pagination feature and restricting query parameters included in pagination URLs to a whitelist of safe keys.

If upgrading immediately is not possible, as a temporary measure, restrict access to the exercise question list admin panel to trusted users only and monitor for suspicious activity.

Additionally, review and apply the patch that filters query parameters using a whitelist approach to prevent injection via malicious GET parameter keys.

Useful 0 Not Useful 0