Primary

Context

Chamilo LMS Stored Cross-Site Scripting Vulnerability Allowing Account Takeover

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in Chamilo LMS versions prior to 1.11.34. This issue allows an attacker to inject arbitrary JavaScript into the platform's social network and internal messaging features. The injected script executes in the browser of any authenticated user, including administrators, within the context of the LMS. This vulnerability could lead to full account takeover through session hijacking, unauthorized actions using the victim's privileges, exfiltration of sensitive data, and potential self-propagation to other users.

Impact

Exploitation of this vulnerability allows for session hijacking, leading to unauthorized access to the victim's account and privileges. It also enables the exfiltration of sensitive data and the potential for the injected script to propagate to other users.

Remediation

Users can upgrade to Chamilo LMS version 1.11.34 to address this vulnerability.

Added: Mar 6, 2026, 4:23 AM

Updated: Mar 6, 2026, 4:23 AM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

5.2

remediation

7.7

relevance

3.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

5.2

remediation

7.7

relevance

3.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Chamilo LMS Stored Cross-Site Scripting Vulnerability Allowing Account Takeover

Vulnerability

Impact

Remediation

Affected Products

Chamilo LMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating