CVE-2025-52475 - Vulnerability Details

Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. The keyword_inactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This issue has been patched in version 1.11.30.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Chamilo	Chamilo Lms

Configuration 1 [-]

cpe:2.3:a:chamilo:chamilo_lms:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/chamilo/chamilo-lms/commit/349062d31533d464feea78d41996bc0857f90f61
https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30
https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7p5f-34rx-49h8

History

Tue, 03 Mar 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Chamilo Chamilo chamilo Lms
CPEs		cpe:2.3:a:chamilo:chamilo_lms::::::::
Vendors & Products		Chamilo Chamilo chamilo Lms
Metrics		cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

Tue, 03 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Chamilo is a learning management system. Prior to version 1.11.30, there is a reflected cross-site scripting (XSS) vulnerability in the admin/user_list.php endpoint. The keyword_inactive parameter is not properly sanitized, allowing attackers to inject malicious JavaScript through a crafted URL. This issue has been patched in version 1.11.30.
Title		Chamilo: Reflected XSS via keyword_inactive parameter
Weaknesses		CWE-79
References		https://github.com/chamilo/chamilo-lms/commit/349062d31533d464feea78d41996bc0857f90f61 https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-7p5f-34rx-49h8
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-02T15:49:52.825Z

Updated: 2026-03-03T16:05:54.088Z

Reserved: 2025-06-17T02:28:39.717Z

Link: CVE-2025-52475

Vulnrichment

Updated: 2026-03-03T16:05:49.291Z

NVD

Status : Analyzed

Published: 2026-03-02T16:16:21.653

Modified: 2026-03-03T18:22:26.027

Link: CVE-2025-52475

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object