CVE-2025-59542

Critical

Published: 06 March 2026

Published

06 March 2026

Modified

09 March 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0002 5.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59542 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates inputs to the course learning path Settings field to prevent injection of malicious JavaScript by low-privileged users.

SI-15 Information Output Filtering good match

prevent

Filters output from the vulnerable settings field to block execution of stored malicious scripts in the browsers of viewing users, including administrators.

SI-2 Flaw Remediation good match

prevent

Remediates the specific stored XSS flaw by identifying, reporting, and applying the patch released in Chamilo version 1.11.34.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

Stored XSS directly enables script injection/execution in victim browsers (T1059.007, T1185) via public web app exploitation (T1190), leading to cookie/token theft (T1539) and account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course learning path Settings field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary…

JavaScript code in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34.

Deeper analysisAI

CVE-2025-59542 is a stored cross-site scripting (XSS) vulnerability (CWE-79) in Chamilo, an open-source learning management system. It affects versions prior to 1.11.34 and occurs in the course learning path Settings field, where malicious JavaScript can be injected and persistently stored. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), reflecting its critical potential impact due to network accessibility, low complexity, and high confidentiality, integrity, and availability consequences.

An attacker with a low-privileged account, such as a trainer, can exploit this by injecting arbitrary JavaScript into the vulnerable field. The script then executes in the browser context of any user who views the affected course information page, including administrators. This allows exfiltration of sensitive data like session cookies or tokens, enabling account takeover of higher-privileged users.

The issue has been patched in Chamilo version 1.11.34. Organizations should upgrade to this version or later to mitigate the vulnerability. Additional details are available in the GitHub release notes at https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34 and the security advisory at https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-pxrh-3rcp-h7m6.

Details

CWE(s): CWE-79

Affected Products

chamilo

chamilo lms

≤ 1.11.34

CVEs Like This One

CVE-2025-55289Same product: Chamilo Chamilo Lms

CVE-2025-59543Same product: Chamilo Chamilo Lms

CVE-2025-52468Same product: Chamilo Chamilo Lms

CVE-2025-52482Same product: Chamilo Chamilo Lms

CVE-2025-55208Same product: Chamilo Chamilo Lms

CVE-2025-50188Same product: Chamilo Chamilo Lms

CVE-2025-50190Same product: Chamilo Chamilo Lms

CVE-2025-52469Same product: Chamilo Chamilo Lms

CVE-2025-50192Same product: Chamilo Chamilo Lms

CVE-2026-33710Same product: Chamilo Chamilo Lms

References

https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.34
Product, Release Notes · security-advisories@github.com
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-pxrh-3rcp-h7m6
Vendor Advisory · security-advisories@github.com