CVE-2025-52482 - Vulnerability Analysis
HighCVSS: 8.3Last Updated: March 2, 2026
Chamilo - Stored XSS
Published: March 2, 2026Updated: March 2, 2026Remote Exploitable
Overview
Chamilo < 1.11.30 contains a stored XSS caused by improper sanitization in the glossary function, letting users with Teachers role inject malicious JavaScript against administrators, exploit requires Teacher role.
Severity & Score
Severity: High
CVSS Score: 8.3
Impact
Attackers with Teacher role can execute malicious JavaScript in administrator's browser, potentially leading to session hijacking or further attacks.
Mitigation
Update to version 1.11.30 or later.
References
- https://github.com/chamilo/chamilo-lms/commit/241c569dde0ad0e34d558ae51271f70438189b0e
- https://github.com/chamilo/chamilo-lms/commit/82cc07edd8ef316e6b36da7c501120d5c0aeb151
- https://github.com/chamilo/chamilo-lms/commit/f9150075246df4ed9755a4a150e25edb468767be
- https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
- https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4wcp-3rh3-7wm4
Related Resources
Details
- CVE ID
- CVE-2025-52482
- Severity
- High
- CVSS Score
- 8.3
- Type
- stored_xss
- Status
- new
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L