CVE-2025-55289
Published: 06 March 2026
Summary
CVE-2025-55289 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 4.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly validates inputs to social network and internal messaging features, preventing injection of arbitrary JavaScript payloads.
Filters and encodes outputs from social network and messaging when rendered in users' browsers, blocking XSS payload execution.
Requires timely patching of the specific stored XSS flaw, as addressed in Chamilo version 1.11.34.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables direct arbitrary JavaScript execution (T1059.007) in other users' browsers and facilitates session hijacking (T1185/T1539) for account takeover.
NVD Description
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored XSS vulnerability in Chamilo LMS (Verison 1.11.32) allows an attacker to inject arbitrary JavaScript into the platform’s social network and internal messaging features. When viewed by…
more
an authenticated user (including administrators), the payload executes in their browser within the LMS context. This enables full account takeover via session hijacking, unauthorized actions with the victim’s privileges, exfiltration of sensitive data, and potential self-propagation to other users. This issue has been patched in version 1.11.34.
Deeper analysisAI
CVE-2025-55289 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in Chamilo, an open-source learning management system (LMS). It affects Chamilo LMS versions prior to 1.11.34, with the issue specifically noted in version 1.11.32. The vulnerability resides in the platform's social network and internal messaging features, where attackers can inject arbitrary JavaScript code. The flaw carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
A low-privileged authenticated attacker can exploit this vulnerability by injecting malicious JavaScript payloads into the social network or internal messaging components. When another authenticated user, including administrators, views the injected content, the payload executes in their browser within the context of the LMS. This enables full account takeover via session hijacking, execution of unauthorized actions using the victim's privileges, exfiltration of sensitive data, and potential self-propagation to other users through further messaging or social interactions.
The vulnerability has been patched in Chamilo LMS version 1.11.34. Administrators are advised to upgrade to this version or later to mitigate the issue. Additional details are available in the GitHub security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-cchj-3qmf-82j5 and the release notes at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34.
Details
- CWE(s)