anonhaven
Ad

CVE-2025-59540

MEDIUM CVSS 4.0: 6.4 EPSS 0.01%
Updated Mar 06, 2026
Chamilo
Parameter Value
CVSS 6.4 (MEDIUM)
Fixed In 1.11.34
Type CWE-80 (Improper Neutralization of Script-Related HTML Tags (XSS)), CWE-79 (Cross-Site Scripting (XSS))
Vendor Chamilo
Public PoC No

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is not properly encoded before rendering, allowing malicious scripts to persist in the database and execute on view.

This issue has been patched in version 1.11.34.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
Passive
Minimal interaction

Impact Assessment

Confidentiality
None
No data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-80 Improper Neutralization of Script-Related HTML Tags (XSS)
CWE-79 Cross-Site Scripting (XSS)

References 2

https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34
security-advisories@github.com
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-59h4-34mx-m67m
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-29041

Chamilo

8.8

CVE-2025-59544

Chamilo

6.9

CVE-2025-59543

Chamilo

9.0

CVE-2025-59542

Chamilo

9.0

CVE-2025-59541

Chamilo

8.1