CVE-2025-59542

Name of the Vulnerable Software and Affected Versions Chamilo versions prior to 1.11.34

Description Chamilo is a learning management system susceptible to a stored cross-site scripting (XSS) issue. An attacker with a low-privileged account, such as a trainer, can inject malicious JavaScript into the course learning path Settings field. This allows the execution of arbitrary JavaScript code within the context of any user viewing the course information page, potentially including administrators. Successful exploitation can lead to the exfiltration of sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. The vulnerable field is the course learning path Settings field.

Recommendations Upgrade to version 1.11.34 or later.