CVE-2025-52482 PUBLISHED

Chamilo: Stored XSS in glossary function via /main/glossary/index.php trigger in /main/tracking/course_log_resources.php

Assigner: GitHub_M
Reserved: 17.06.2025 Published: 02.03.2026 Updated: 02.03.2026

Chamilo is a learning management system. Prior to version 1.11.30, a Stored XSS vulnerability exists in the glossary function, enabling all users with the Teachers role to inject JavaScript malicious code against the administrator. This issue has been patched in version 1.11.30.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:L
CVSS Score: 8.3

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	chamilo
Product	chamilo-lms
Versions	Version < 1.11.30 is affected

References

https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-4wcp-3rh3-7wm4
https://github.com/chamilo/chamilo-lms/commit/241c569dde0ad0e34d558ae51271f70438189b0e
https://github.com/chamilo/chamilo-lms/commit/82cc07edd8ef316e6b36da7c501120d5c0aeb151
https://github.com/chamilo/chamilo-lms/commit/f9150075246df4ed9755a4a150e25edb468767be
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE