📄 Description (English)
Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importing user data from CSV files. This flaw occurs due to insufficient sanitization of user data, specifically in the "Last Name", "First Name", and "Username" fields. It allows attackers to inject a stored cross-site scripting (XSS) payload that is triggered when the user profile is viewed, potentially leading to malicious script execution in the context of the authenticated use. This issue has been patched in version 1.11.30.
🤖 AI Executive Summary
Chamilo LMS versions prior to 1.11.30 contain a stored XSS vulnerability in CSV user import functionality affecting the Last Name, First Name, and Username fields. Attackers can inject malicious scripts that execute when user profiles are viewed by authenticated users. With CVSS 8.8 and publicly available exploits, this poses significant risk to educational institutions and organizations using Chamilo for learning management.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 06:09
🇸🇦 Saudi Arabia Impact Assessment
Saudi educational institutions, particularly universities and vocational training centers using Chamilo LMS, face significant risk. Government education sector (Ministry of Education, MOESD) and private educational providers are primary targets. Secondary impact on corporate training departments and e-learning platforms. Attackers could compromise student and staff accounts, steal credentials, distribute malware, or manipulate educational records. Risk is elevated in organizations with inadequate patch management processes.
🏢 Affected Saudi Sectors
Education (Universities, Schools, Training Centers)
Government (Ministry of Education, MOESD)
Corporate Training and Development
E-Learning Platforms
Healthcare (Medical Training Programs)
Professional Development Organizations
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Chamilo LMS instances in your environment and verify current version
2. Restrict CSV user import functionality until patching is complete
3. Review recent CSV imports for suspicious entries in Last Name, First Name, Username fields
4. Audit user profile access logs for unusual activity
PATCHING:
1. Upgrade Chamilo LMS to version 1.11.30 or later immediately
2. Test patch in non-production environment first
3. Implement change management procedures for production deployment
4. Verify patch application by checking version number post-deployment
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable CSV user import feature at application level
2. Implement input validation rules: reject special characters in name fields
3. Apply Web Application Firewall (WAF) rules to detect XSS patterns
4. Enforce Content Security Policy (CSP) headers to restrict script execution
5. Implement strict output encoding for user profile display
DETECTION:
1. Monitor for CSV imports containing script tags, event handlers (onclick, onload, etc.)
2. Alert on profile views followed by suspicious JavaScript execution
3. Log all CSV import activities with full payload capture
4. Search existing database for stored XSS payloads: <script>, javascript:, onerror=, onload=
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع مثيلات Chamilo LMS في بيئتك والتحقق من الإصدار الحالي
2. تقييد وظيفة استيراد مستخدمي CSV حتى يتم إكمال التصحيح
3. مراجعة عمليات استيراد CSV الأخيرة للبحث عن إدخالات مريبة في حقول الاسم الأخير والاسم الأول واسم المستخدم
4. تدقيق سجلات الوصول إلى ملف تعريف المستخدم للبحث عن نشاط غير عادي
التصحيح:
1. ترقية Chamilo LMS إلى الإصدار 1.11.30 أو أحدث على الفور
2. اختبار التصحيح في بيئة غير الإنتاج أولاً
3. تنفيذ إجراءات إدارة التغيير لنشر الإنتاج
4. التحقق من تطبيق التصحيح بالتحقق من رقم الإصدار بعد النشر
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل ميزة استيراد مستخدمي CSV على مستوى التطبيق
2. تنفيذ قواعد التحقق من الإدخال: رفض الأحرف الخاصة في حقول الأسماء
3. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن أنماط XSS
4. فرض رؤوس سياسة أمان المحتوى (CSP) لتقييد تنفيذ البرامج النصية
5. تنفيذ ترميز إخراج صارم لعرض ملف تعريف المستخدم
الكشف:
1. مراقبة عمليات استيراد CSV التي تحتوي على علامات البرامج النصية ومعالجات الأحداث
2. التنبيه على عروض الملفات الشخصية متبوعة بتنفيذ JavaScript مريب
3. تسجيل جميع أنشطة استيراد CSV مع التقاط الحمولة الكاملة
4. البحث في قاعدة البيانات الموجودة عن حمولات XSS المخزنة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.1.1 - Input validation and data sanitization controls
5.2.1 - Web application security requirements
5.3.2 - Secure coding practices
6.1.1 - Vulnerability management and patching
🔵 SAMA CSF
ID.SC-7 - Software, firmware, and information integrity
PR.DS-6 - Integrity checking mechanisms
PR.IP-1 - System development life cycle
DE.CM-8 - Vulnerability scans
🟡 ISO 27001:2022
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
A.14.3.1 - Separation of development, test and production environments
A.12.6.1 - Management of technical vulnerabilities
🟣 PCI DSS v4.0.1
6.5.1 - Injection flaws prevention
6.5.7 - Cross-site scripting (XSS) prevention
6.2 - Security patches and updates
🔗 References & Sources 3
🔗
https://github.com/chamilo/chamilo-lms/commit/790ef513aceacae6fe5b6641145901f04c7992dd
security-advisories@github.com
Patch
🔗
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
security-advisories@github.com
Product
Release Notes
🔗
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-hc3c-8p55-xh4r
security-advisories@github.com
Exploit
Vendor Advisory
📦 Affected Products / CPE 1 entries
chamilo:chamilo_lms