CVE-2025-52564

Chamilo: HTML injection via open parameter

CVSS 6.9 MEDIUMEPSS 0.2%CWE-80

Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. This allows an attacker to inject arbitrary HTML, such as underlined text, via a crafted URL. This issue has been patched in version 1.11.30.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Produtos afetados

chamilo · chamilo-lms

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/chamilo/chamilo-lms/commit/083b1d2b0c29b0cc0313a28165ad47bebae9dcb2 https://github.com/chamilo/chamilo-lms/commit/1ee2d8bb61b67e08946cd80b1a9b92c1a9959c7b https://github.com/chamilo/chamilo-lms/releases/tag/v1.11.30 https://github.com/chamilo/chamilo-lms/security/advisories/GHSA-6fmm-qrx4-wgqc