anonhaven
Ad

CVE-2025-59540

MEDIUM CVSS 4.0: 6.4 EPSS 0.05%
Updated Mar 06, 2026
Chamilo
Parameter Value
CVSS 6.4 (MEDIUM)
Fixed In 1.11.34
Type CWE-80 (Improper Neutralization of Script-Related HTML Tags (XSS)), CWE-79 (Cross-Site Scripting (XSS) (Межсайтовый скриптинг))
Vendor Chamilo
Public PoC No

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is not properly encoded before rendering, allowing malicious scripts to persist in the database and execute on view.

This issue has been patched in version 1.11.34.

Attack Parameters

Attack Vector
Network
Атака возможна удалённо
Attack Complexity
Low
Легко эксплуатировать
Attack Requirements
None
Нет дополнительных условий
Privileges Required
Low
Нужны базовые права
User Interaction
Passive
Минимальное взаимодействие

Impact Assessment

Confidentiality
None
Нет утечки данных
Integrity
None
Нет модификации данных
Availability
None
Нет нарушения работы

CVSS Vector v4.0

Weakness Type (CWE)

CWE-80 Improper Neutralization of Script-Related HTML Tags (XSS)
CWE-79 Cross-Site Scripting (XSS) (Межсайтовый скриптинг)

References 2

https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34
security-advisories@github.com
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59h4-34mx-m67m
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-29041

Chamilo

8.8

CVE-2025-59544

Chamilo

6.9

CVE-2025-59543

Chamilo

9.0

CVE-2025-59542

Chamilo

9.0

CVE-2025-59541

Chamilo

8.1