CRITICAL🇵🇱 Wersja polska

CVE-2025-59542

CVSS 9.0v3.1pub. 2026-03-06upd. 2026-03-09

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
  • Chamilo Lms

    APP
    Chamilo
    < 1.11.34
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2026-33698CRITICAL9.3PL ✓ten sam produkt

Chamilo LMS: ominięcie uwierzytelnienia i modyfikacja plików przez katalog install

CVE-2026-32892CRITICAL9.1PL ✓ten sam produkt

OS Command Injection w Chamilo LMS — funkcja przenoszenia plików

CVE-2026-33707CRITICAL9.4PL ✓ten sam produkt

Chamilo LMS — przewidywalny token resetowania hasła (CWE-640)

CVE-2026-28430CRITICAL9.3PL ✓ten sam produkt

Niezauwytoryzowany SQL injection w Chamilo LMS — przejęcie konta administratora

CVE-2025-59543CRITICAL9.0PL ✓ten sam produkt

Stored XSS w Chamilo LMS umożliwiający przejęcie kont administratorów

CVE-2025-59542 — Chamilo — Chamilo Lms — CRITICAL — CVSS 9.0 | CVEbaza.pl