CVE-2025-52470
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in Chamilo LMS allows privileged users to inject malicious JavaScript into the Category Name field. This script executes when accessing add_many_sessions_to_category.php, potentially compromising administrative sessions. Users of Chamilo LMS versions before 1.11.30 are affected.
💻 Affected Systems
- Chamilo LMS
📦 What is this software?
Chamilo Lms by Chamilo
⚠️ Risk & Real-World Impact
Worst Case
Administrative account takeover leading to full system compromise, data theft, or further privilege escalation within the learning management system.
Likely Case
Session hijacking of administrators, unauthorized access to sensitive student/teacher data, or defacement of the learning platform.
If Mitigated
Limited impact due to proper input validation, output encoding, and Content Security Policy (CSP) headers preventing script execution.
🎯 Exploit Status
Exploitation requires authenticated privileged access; payload is stored and triggers on specific page access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.30
Vendor Advisory: https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-p4m6-gwhg-x89f
Restart Required: No
Instructions:
1. Backup your Chamilo installation and database. 2. Download version 1.11.30 from the official repository. 3. Replace affected files, particularly session_category_add.php and related scripts. 4. Verify the patch by checking for proper input sanitization in the updated code.
🔧 Temporary Workarounds
Input Validation Enhancement
allManually add input validation to sanitize the Category Name field before processing.
Edit session_category_add.php to implement htmlspecialchars() or similar sanitization on user input.
Content Security Policy (CSP)
allImplement CSP headers to restrict script execution from untrusted sources.
Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to your web server configuration.
🧯 If You Can't Patch
- Restrict access to session management features to only essential administrators.
- Implement web application firewall (WAF) rules to block XSS payloads in the Category Name field.
🔍 How to Verify
Check if Vulnerable:
Check if your Chamilo version is below 1.11.30 by reviewing the system information in the admin panel or checking the version file.Check Version:
Check the version in the Chamilo admin interface or inspect the main configuration file for version details.Verify Fix Applied:
After patching, test by attempting to inject a simple XSS payload (e.g., <script>alert('test')</script>) into the Category Name field and verify it is properly sanitized or blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual entries in web server logs showing script tags or JavaScript in POST requests to session_category_add.php.
- Administrative session anomalies or unexpected access patterns.
Network Indicators:
- HTTP requests containing malicious script payloads in the Category Name parameter.
SIEM Query:
source="web_server_logs" AND (uri="/session_category_add.php" OR uri="/add_many_sessions_to_category.php") AND (payload CONTAINS "<script>" OR payload CONTAINS "javascript:")