Vulnerability Description
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by an authenticated user (including administrators), the payload executes in their browser within the LMS context. This enables full account takeover via session hijacking, unauthorized actions with the victim’s privileges, exfiltration of sensitive data, and potential self-propagation to other users. This issue has been patched in version 1.11.34.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chamilo | Chamilo Lms | < 1.11.34 |
Related Weaknesses (CWE)
References
- https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34ProductRelease Notes
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-cchj-3qmf-82j5Vendor Advisory
FAQ
What is CVE-2025-55289?
CVE-2025-55289 is a vulnerability with a CVSS score of 8.8 (HIGH). Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platf...
How severe is CVE-2025-55289?
CVE-2025-55289 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-55289?
Check the references section above for vendor advisories and patch information. Affected products include: Chamilo Chamilo Lms.