Vulnerability Description
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Chamilo | Chamilo Lms | < 1.11.34 |
Related Weaknesses (CWE)
References
- https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34ProductRelease Notes
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-p32q-6gh3-3gcvVendor Advisory
FAQ
What is CVE-2025-59543?
CVE-2025-59543 is a vulnerability with a CVSS score of 9.0 (CRITICAL). Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an a...
How severe is CVE-2025-59543?
CVE-2025-59543 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-59543?
Check the references section above for vendor advisories and patch information. Affected products include: Chamilo Chamilo Lms.