A critical stored cross-site scripting (XSS) vulnerability in Chamilo LMS allows authenticated attackers to escalate privileges and take over administrator accounts via malicious JavaScript injection.

An authenticated attacker with "trainer" or similar low-level privileges can inject malicious JavaScript into the "course learning path Settings" field. When an administrator or another user views the course information page, the script executes, enabling the exfiltration of sensitive session tokens.

With a CVSS score of 9.0, this vulnerability presents a high risk of account takeover (ATO). A successful attack against an administrator results in full control over the Learning Management System, including access to student records, proprietary course materials, and the ability to modify site-wide configurations.

Immediate Action: Update Chamilo LMS to version 1.11.34 or later to address the insufficient input sanitization in the learning path settings.

Proactive Monitoring: Inspect the database for scripts or unusual HTML tags within the course learning path tables and monitor for anomalous administrative logins from unrecognized IP addresses.

Compensating Controls: Implement a robust Content Security Policy (CSP) to prevent the execution of inline scripts and restrict the domains from which external scripts can be loaded.

Public Exploit Available: false

Organizations using Chamilo LMS should apply the 1.11.34 patch immediately. Furthermore, security teams should educate course creators on secure content practices and consider implementing multi-factor authentication (MFA) to mitigate the impact of stolen session cookies.