Detections
Analytics

CVE-2025-59542

critical

Description

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34.

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-pxrh-3rcp-h7m6

https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34

Details

Source: Mitre, NVD

Published: 2026-03-06

Updated: 2026-03-09

Risk Information

CVSS v2

Base Score: 3.5

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

Severity: Low

CVSS v3

Base Score: 9

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.00041