9
CVE-2025-59543
- EPSS 0.25%
- Veröffentlicht 06.03.2026 03:32:06
- Zuletzt bearbeitet 09.03.2026 17:31:32
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Chamilo: Account Takeover via Stored XSS in Course Description
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Chamilo ≫ Chamilo Lms Version < 1.11.34
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.25% | 0.163 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 9 | 2.3 | 6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-p32q-6gh3-3gcv