CVE-2025-52468
MEDIUM EPSS 27.0%
Published Mar 2, 20264mo ago · Modified Mar 3, 20263mo ago
6.1 CVSS 3.1
Published Mar 2, 2026 4mo ago
Last Modified Mar 3, 2026 3mo ago
Description
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows attackers to inject a stored cross-site scripting (XSS) payload that is triggered when the user profile is viewed, potentially leading to malicious script execution in the context of the authenticated use. This issue has been patched in version 1.11.30.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
27.0% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available
Weaknesses 1
CWE-79 Cross-site Scripting Injection
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| chamilo | chamilo_lms | * | <1.11.30 |
References 3
- github.com https://github.com/chamilo/chamilo-lms/commit/790ef513aceacae6fe5b6641145901f04c7992dd
- github.com https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
- github.com https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hc3c-8p55-xh4r
Remediation
- github.com https://github.com/chamilo/chamilo-lms/commit/790ef513aceacae6fe5b6641145901f04c7992dd