Chamilo Learning Management System Input Validation Vulnerability Leading to Stored Cross-Site Scripting

A stored cross-site scripting vulnerability has been identified in Chamilo Learning Management System, affecting versions prior to 1.11.30. The issue arises from inadequate input validation when importing user data from CSV files, particularly in the 'Last Name', 'First Name', and 'Username' fields. This flaw allows attackers to inject XSS payloads that are executed when the user profile is viewed, potentially leading to the execution of malicious scripts in the context of the authenticated user.

Impact

Exploitation of this vulnerability allows for the injection of malicious JavaScript that is executed when an authenticated user views the affected profile. This could result in session hijacking, theft of sensitive information, or other malicious activities under the user's account.

Reproduction

To reproduce this vulnerability, log into the Chamilo admin panel and navigate to the 'Import users list' section. Upload a CSV file containing user data with an XSS payload in the 'Last Name', 'First Name', or 'Username' fields. After the file is uploaded, go to the profile page of the imported user to see the executed payload.

Remediation

Users can update to Chamilo version 1.11.30 or later, where this vulnerability has been patched.