CVE-2025-52564 | THREATINT

Description

Chamilo is a learning management system. Prior to version 1.11.30, the open parameter of help.php fails to properly sanitize user input. This allows an attacker to inject arbitrary HTML, such as underlined text, via a crafted URL. This issue has been patched in version 1.11.30.

PUBLISHED Reserved 2025-06-18 | Published 2026-03-02 | Updated 2026-03-02 | Assigner GitHub_M

MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Product status

< 1.11.30

affected

References

github.com/...lo-lms/security/advisories/GHSA-6fmm-qrx4-wgqc

github.com/...ommit/083b1d2b0c29b0cc0313a28165ad47bebae9dcb2

github.com/...ommit/1ee2d8bb61b67e08946cd80b1a9b92c1a9959c7b

github.com/chamilo/chamilo-lms/releases/tag/v1.11.30

cve.org (CVE-2025-52564)

nvd.nist.gov (CVE-2025-52564)

Download JSON