Vulnerabilities ›

CVE-2025-52475

Medium

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. The keyword_inactive parameter is

CWE-79 — Weakness Type

                    Published: Mar 2, 2026                      ·  Modified: Mar 5, 2026                      ·  Source: NVD                

CVSS v3

6.1

🔗 NVD Official

📄 Description (English)

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. The keyword_inactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This issue has been patched in version 1.11.30.

🤖 AI Executive Summary

Chamilo LMS versions prior to 1.11.30 contain a reflected XSS vulnerability in the admin/user_list.php endpoint through the keyword_inactive parameter. While the CVSS score is moderate (6.1), the vulnerability could allow attackers to steal admin credentials, manipulate user data, or compromise educational institution networks. A patch is available and should be applied immediately to all affected Chamilo deployments.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 23, 2026 17:34

🇸🇦 Saudi Arabia Impact Assessment

Saudi educational institutions, universities, and government training centers using Chamilo LMS are at risk. The vulnerability could allow attackers to compromise admin accounts, steal student/staff credentials, manipulate grades and records, or distribute malware within educational networks. Ministry of Education (MOE), ARAMCO training divisions, and SAMA banking training programs using Chamilo are particularly vulnerable. The reflected XSS nature means targeted phishing campaigns against administrators could be highly effective.

🏢 Affected Saudi Sectors

Education Government Training and Development Higher Education Institutions Corporate Training Centers

🎯 MITRE ATT&CK Techniques

T1598.003 - Phishing: Spearphishing Link T1566.002 - Phishing: Phishing - Spearphishing Link T1190 - Exploit Public-Facing Application T1539 - Steal Web Session Cookie T1056.004 - Interaction - Capture Keystrokes

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

1. IMMEDIATE: Identify all Chamilo LMS instances in your organization using version < 1.11.30

2. PATCH: Upgrade to Chamilo 1.11.30 or later immediately

3. VALIDATION: After patching, verify the keyword_inactive parameter is properly HTML-encoded in admin/user_list.php

4. DETECTION: Monitor web server logs for suspicious patterns in admin/user_list.php requests containing script tags or encoded JavaScript

5. COMPENSATING CONTROL: If immediate patching is not possible, implement WAF rules to block requests containing <script>, javascript:, onerror=, onload= in the keyword_inactive parameter

6. CREDENTIAL RESET: Force password reset for all admin accounts as precautionary measure

7. AUDIT: Review admin access logs for the past 30 days for unauthorized activities

8. COMMUNICATION: Notify all users to report suspicious emails requesting admin credentials

🔧 خطوات المعالجة (العربية)

1. فوري: حدد جميع نسخ Chamilo LMS في مؤسستك التي تستخدم إصدار < 1.11.30

2. تصحيح: قم بالترقية إلى Chamilo 1.11.30 أو إصدار أحدث فوراً

3. التحقق: بعد التصحيح، تحقق من أن معامل keyword_inactive مشفر بشكل صحيح في admin/user_list.php

4. الكشف: راقب سجلات خادم الويب للأنماط المريبة في طلبات admin/user_list.php التي تحتوي على علامات script أو JavaScript مشفر

5. التحكم البديل: إذا لم يكن التصحيح الفوري ممكناً، قم بتطبيق قواعد WAF لحظر الطلبات التي تحتوي على <script>، javascript:، onerror=، onload= في معامل keyword_inactive

6. إعادة تعيين بيانات الاعتماد: فرض إعادة تعيين كلمة المرور لجميع حسابات المسؤول كإجراء احترازي

7. التدقيق: راجع سجلات وصول المسؤول لآخر 30 يوماً للأنشطة غير المصرح بها

8. التواصل: أخطر جميع المستخدمين بالإبلاغ عن رسائل بريد إلكترونية مريبة تطلب بيانات اعتماد المسؤول

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 - Input Validation and Sanitization 5.2.2 - Web Application Security Controls 5.3.1 - Secure Coding Practices 6.1.1 - Vulnerability Management

🔵 SAMA CSF

ID.RA-1 - Asset Management and Vulnerability Identification PR.DS-1 - Data Security and Protection DE.CM-1 - Detection and Monitoring RS.RP-1 - Response Planning

🟡 ISO 27001:2022

A.14.2.1 - Secure development policy A.14.2.5 - Secure development environment A.12.6.1 - Management of technical vulnerabilities

🔗 References & Sources 3

🔗

https://github.com/chamilo/chamilo-lms/commit/349062d31533d464feea78d41996bc0857f90f61

security-advisories@github.com

Patch

🔗

https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30

security-advisories@github.com

Product Release Notes

🔗

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7p5f-34rx-49h8

security-advisories@github.com

Vendor Advisory

📦 Affected Products / CPE 1 entries

chamilo:chamilo_lms

📊 CVSS Score

6.1

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.1

CWECWE-79

Exploit No

Patch ✓ Yes

Published 2026-03-02

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-79

🏢 Vendor Advisories

🔗 https://github.com/chamilo/chamilo-lms/security/advi...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2025-52475

Introduce Yourself

Sign In Required