Cross-site scripting in Chamilo LMS - #VU137018

 

Cross-site scripting in Chamilo LMS - #VU137018

Published: July 7, 2026


Vulnerability identifier: #VU137018
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-79
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Chamilo
Affected software:
Chamilo LMS

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary JavaScript in the browser of users who view an injected account.

The vulnerability exists due to cross-site scripting in the update_users action of the AJAX endpoint main/inc/ajax/user_manager.ajax.php when handling attacker-controlled firstname, lastname, and email fields. A remote attacker can submit crafted profile field values to execute arbitrary JavaScript in the browser of users who view an injected account.

The injected content is rendered without HTML escaping on multiple pages, including user_portal.php, the admin user listing, user information, social profile, course participant list, and the message-composer recipient header.


Remediation

Install security update from vendor's website.

Sources