CVE-2025-52468
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into Chamilo LMS user profiles via CSV import. When other users view these profiles, the scripts execute in their browser context, potentially stealing session cookies or performing actions as the victim. All Chamilo installations prior to version 1.11.30 are affected.
💻 Affected Systems
- Chamilo LMS
📦 What is this software?
Chamilo Lms by Chamilo
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over accounts, deface the platform, or redirect users to malicious sites, potentially leading to complete system compromise.
Likely Case
Attackers steal user session cookies to hijack accounts, perform unauthorized actions, or deploy phishing attacks against other users.
If Mitigated
With proper input validation and output encoding, the XSS payloads would be neutralized, preventing script execution while maintaining data integrity.
🎯 Exploit Status
Exploitation requires ability to import CSV files, which typically requires some level of access. The vulnerability is straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.30
Vendor Advisory: https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hc3c-8p55-xh4r
Restart Required: No
Instructions:
1. Backup your Chamilo installation and database. 2. Download version 1.11.30 from the official repository. 3. Replace the affected files with the patched versions. 4. Clear any caches. 5. Verify the fix by testing CSV import functionality.
🔧 Temporary Workarounds
Disable CSV Import
allTemporarily disable CSV user import functionality to prevent exploitation.
Modify configuration to remove CSV import permissions or disable the feature in admin settings
Input Validation Filter
allImplement server-side input validation to sanitize Last Name, First Name, and Username fields.
Add input sanitization functions to filter script tags and special characters before processing CSV data
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from user-controlled data
- Apply output encoding to all user profile fields when displayed to neutralize any injected scripts
🔍 How to Verify
Check if Vulnerable:
Check if your Chamilo version is below 1.11.30 and test CSV import with XSS payloads in Last Name, First Name, or Username fields.Check Version:
Check the main.inc.php file or admin panel for version informationVerify Fix Applied:
After patching, attempt to import a CSV with XSS payloads and verify the scripts are properly sanitized when viewing user profiles.📡 Detection & Monitoring
Log Indicators:
- Unusual CSV import activity, especially with special characters or script-like patterns in user data fields
Network Indicators:
- Unexpected script tags in user profile HTTP responses
SIEM Query:
Search for CSV import logs containing <script> tags or javascript: protocols in user data fields