Cross-site scripting in Chamilo LMS - #VU137018
Published: July 7, 2026
Chamilo LMS
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary JavaScript in the browser of users who view an injected account.
The vulnerability exists due to cross-site scripting in the update_users action of the AJAX endpoint main/inc/ajax/user_manager.ajax.php when handling attacker-controlled firstname, lastname, and email fields. A remote attacker can submit crafted profile field values to execute arbitrary JavaScript in the browser of users who view an injected account.
The injected content is rendered without HTML escaping on multiple pages, including user_portal.php, the admin user listing, user information, social profile, course participant list, and the message-composer recipient header.